-
Notifications
You must be signed in to change notification settings - Fork 183
Accessing the API Server from a pod using service account causes an error #29
Comments
This is happening likely due to running on Python < 3.5. IP hostnames are not supported until Python 3.5. I am open to ideas on how to fix it as we are not generating the config. I am not a huge fan of version checking and replacement as we can't guanrantee hostnames. |
One thing that occurs to me is that I added
which will work around the certificate checking against the IP that fails against Python < 3.5. |
I'm getting this straight of the box with a kube configuration file created by Is there no way to get around this on python 2.7 system? |
@jrydberg unfortunately there is nothing I am aware of that will fix it. The underlying issue is within Python. It may be possible to override the certificate checking mechanism to add IP hostname support to Python < 3.5, but I would hate to this at the risk of comprising security already being managed by Python. |
It turns out that pykube uses requests, which pulls in urllib3, which attempts to pull in match_hostname first from Python native SSL, then from backports, falling back on its own implementation if neither are available. However, the latest backports's match_hostname seems to be more complete than the native SSL match_hostname, allowing for IP addresses. You can monkey-patch this in your end script with the following, so long as "IP Address:" actually does show up in subjectAltNames: import backports.ssl_match_hostname
import pykube
# Monkey-patch match_hostname with backports's match_hostname, allowing for IP addresses
# XXX: the exception that this might raise is backports.ssl_match_hostname.CertificateError
pykube.http.requests.packages.urllib3.connection.match_hostname = backports.ssl_match_hostname.match_hostname |
Of course it should be noted that the 'real fix' is for the packaged version of urllib3 with requests to use backports.ssl_match_hostname over the native, if available. But in the short term... |
Feels like resorting to monkey-patching is not a user-friendly solution to this problem, nor is "use Python 3.5", so I've opened an issue at urllib3 to try to resolve the underlying issue. Think there's probably a very simple change to that library that would get round this issue, but I might be missing something. Let's see what the urllib guys have to say (they are usually super-helpful). |
Hey folks! Just a FYI: I'm looking at working on this next week. It's slightly more complex than we'd like because the new |
@Lukasa You would? |
@zcarlson-signifai I think the property they are trying to preserve is that |
FTR the issue I raised at urllib3 was a dupe of this one: urllib3/urllib3#258 Linking here so that we can more easily see when it's resolved. |
monkey-patching with backports.match_hostname did not work for me... but fortunately there is a simpler approach. If you only need to communicate with the kubernetes master you can define your own match_hostname function. def _MatchHostname(_, hostname):
if hostname != os.environ['KUBERNETES_SERVICE_HOST']:
raise ssl.CertificateError('Hostname [%s] not equal to [%s].',
hostname, os.environ['KUBERNETES_SERVICE_HOST']) Now monkey patch with this and it appears to work fine. |
So it seems that this got fixed in urllib3, thanks @Lukasa ! now we just need to wait for a new version of 'requests' |
I am still having the issue, with a local config file, with python 2.7, with urllib3 installed from its source. Is this because of my python version? |
@YuefengZhou You need to install some extra third-party dependencies. Did you install |
@Lukasa Yes. I have installed it and and I have just run |
@Lukasa how can just by installing third party libraries this work? if requests have 'urllib3' embedded in its code, although we installed the right urllib3 version, requests will use its embedded one. |
@victorgp Depends on the source. For |
Thanks @zcarlson-signifai and But now the package has changed and we could not find |
If you modify your kubeconfig file, and put the API server hostname instead of the IP address it is going to work |
@mcapuccini Many thanks! This works for me perfectly. |
@mcapuccini how can i change the server hostname?? |
@yoohoogun114 if you open the kubeconfig file, it should be something like::
You need to change |
That solution doesn't work if you are using GCP. The SSL certs of the k8s masters only have SAN for kubernetes.default and kubernetes.default.svc.cluster.local therefore you cannot set the domain you want. A workaround is to set in your kubeconfig file the server name as kubernetes.default.svc.cluster.local and fake the DNS in /etc/hosts making that domain point to the GCP cluster ip |
With the latest version of Requests, I believe this issue is resolved. I've put up a PR with a change that requires the fixed requests version (#95), if anyone wants to give that a try that would be helpful. Or you should be able to just do |
pykube 0.15.0 resolves the host name issue * cluster.py : Removed "HACK kelproject/pykube#29 (comment)" and "Monkey-patch" code * requirements.txt : removed backports.ssl_match_hostname and replaced pykube git pull with pykube 0.15.0 release version Refactored scaling-controller.yaml Replication Controller example to autoscaler-dep.yaml Deployment, Deployments provide declarative updates for Pods and Replica Sets (the next-generation Replication Controller). Added an example secret yaml named autoscaler-secret.yaml Updated README.md to reflect the changes, fixed the namespace issue in README.md and scaling-controller.yaml to be "kube-system" instead of "system".
pykube 0.15.0 resolves the host name issue * cluster.py : Removed "HACK kelproject/pykube#29 (comment)" and "Monkey-patch" code * requirements.txt : removed backports.ssl_match_hostname and replaced pykube git pull with pykube 0.15.0 release version Refactored scaling-controller.yaml Replication Controller example to autoscaler-dep.yaml Deployment, Deployments provide declarative updates for Pods and Replica Sets (the next-generation Replication Controller). Added an example secret yaml named autoscaler-secret.yaml Updated README.md to reflect the changes, fixed the namespace issue in README.md and scaling-controller.yaml to be "kube-system" instead of "system".
After added certificate to kubernetes, the issue |
I managed to make it work by updating the backports.ssl_match_hostname module. The reason seems to be that an outdated version of backports.ssl_match_hostname would not check against IP. |
K8S Version: 1.2
Code:
Error message:
The text was updated successfully, but these errors were encountered: