SSL hostname verification failure with websocket-client

[vedujoshi]

I have this simple script. Even though authentication does work, call to connect_get_namespaced_pod_exec() fails .

The list of installed pip pkgs installed is in https://gist.github.com/vedujoshi/07a79b6d1ea38701a2993fab63f55cfd

root@fb2337702e18:/# cat test1.py
from kubernetes import client, config
config.load_kube_config(config_file='admin2.conf')
v1 = client.CoreV1Api()
pod_list = v1.list_namespaced_pod("kube-system")
for pod in pod_list.items:
print pod.metadata.name

name = 'kube-discovery-1769846148-bsqt0'
namespace = 'kube-system'
command = 'ls'
stderr = False
stdin = False
stdout = False
tty = False
api_response = v1.connect_get_namespaced_pod_exec(name, namespace, command=command, stderr=stderr, stdin=stdin, stdout=stdout, tty=tty)
print api_response
root@fb2337702e18:/# python test1.py
/usr/local/lib/python2.7/dist-packages/urllib3/util/ssl_.py:334: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
SNIMissingWarning
/usr/local/lib/python2.7/dist-packages/urllib3/util/ssl_.py:132: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecurePlatformWarning
dummy-2088944543-43k1b
etcd-testbed-1-vm1.englab.juniper.net.204.10.in-addr.arpa
kube-apiserver-testbed-1-vm1.englab.juniper.net.204.10.in-addr.arpa
kube-controller-manager-testbed-1-vm1.englab.juniper.net.204.10.in-addr.arpa
kube-discovery-1769846148-bsqt0
kube-dns-2924299975-7bcdb
kube-proxy-b7g0b
kube-scheduler-testbed-1-vm1.englab.juniper.net.204.10.in-addr.arpa
Traceback (most recent call last):
File "test1.py", line 15, in
api_response = v1.connect_get_namespaced_pod_exec(name, namespace, command=command, stderr=stderr, stdin=stdin, stdout=stdout, tty=tty)
File "/usr/local/lib/python2.7/dist-packages/kubernetes/client/apis/core_v1_api.py", line 907, in connect_get_namespaced_pod_exec
(data) = self.connect_get_namespaced_pod_exec_with_http_info(name, namespace, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/kubernetes/client/apis/core_v1_api.py", line 1012, in connect_get_namespaced_pod_exec_with_http_info
collection_formats=collection_formats)
File "/usr/local/lib/python2.7/dist-packages/kubernetes/client/api_client.py", line 329, in call_api
_return_http_data_only, collection_formats, _preload_content, _request_timeout)
File "/usr/local/lib/python2.7/dist-packages/kubernetes/client/api_client.py", line 153, in __call_api
_request_timeout=_request_timeout)
File "/usr/local/lib/python2.7/dist-packages/kubernetes/client/api_client.py", line 355, in request
headers=headers)
File "/usr/local/lib/python2.7/dist-packages/kubernetes/client/ws_client.py", line 237, in websocket_call
raise ApiException(status=0, reason=str(e))
kubernetes.client.rest.ApiException: (0)
Reason: hostname '10.204.217.194' doesn't match either of 'kubernetes', 'kubernetes.default', 'kubernetes.default.svc', 'kubernetes.default.svc.cluster.local'

root@fb2337702e18:/#

[vedujoshi]

This is on Ubuntu 14.04 running python 2.7.6
From another machine running centos7.1( python 2.7.5), the same thing works

[dims]

@vedujoshi looks like something in the 2.7.6 environment is subtly different from your 2.7.5 (possibilities are the OpenSSL version of websocket_client version etc). But i think the behavior in 2.7.6/ubuntu is the right one. So you should either set assert_hostname in config to false or generate the right certificates on your server side.

https://github.com/kubernetes-incubator/client-python/blob/436351b027df2673869ee00e0ff5589e6b3e2b7d/kubernetes/client/ws_client.py#L58
https://docs.python.org/2/library/ssl.html#ssl.SSLContext.check_hostname

[vedujoshi]

Thanks..disabling hostname check worked fine

api_client = config.new_client_from_config('admin2.conf')
api_client.config.assert_hostname = False
v1 = client.CoreV1Api(api_client)

[mbohlool]

@dims I suggest we make api_client.config.assert_hostname = False default value for websocket client.

[dims]

@mbohlool 2 cents...i'd rather vote for a slightly better error message. (will help with educating people about better enabling security in their environment). if you see https://github.com/python/cpython/blob/6f0eb93183519024cb360162bdd81b9faec97ba6/Lib/ssl.py#L501 the default context they set it to True as well (compared to the False in _create_unverified_context)

[plee138]

I've also having some issue with the connect_get_namespaced_pod_exec() function.

My sample script has "assert_hostname = False" and is working properly on a local minikube instance. However when I run it against my GKE at Google, it fails with the error:

websocket._exceptions.WebSocketBadStatusException: Handshake status 404

I've included my sample script and the trace below. Any help would be greatly appreciated.

-----Sample script -------
from kubernetes import client, config
config.load_kube_config()
client.Configuration().assert_hostname=False
v1=client.CoreV1Api()
resp = v1.connect_get_namespaced_pod_exec('hello-minikube-3015430129-6spcw', 'default',
command='ls',
stderr=False, stdin=False,
stdout=False, tty=False)

print ("resp: %s" % resp)

------- Error ---------

Traceback (most recent call last):
File "/home/pat/dev/python/kube/lib/python3.5/site-packages/kubernetes/client/ws_client.py", line 231, in websocket_call
client = WSClient(configuration, url, headers)
File "/home/pat/dev/python/kube/lib/python3.5/site-packages/kubernetes/client/ws_client.py", line 63, in init
self.sock.connect(url, header=header)
File "/home/pat/dev/python/kube/lib/python3.5/site-packages/websocket/_core.py", line 214, in connect
self.handshake_response = handshake(self.sock, *addrs, **options)
File "/home/pat/dev/python/kube/lib/python3.5/site-packages/websocket/_handshake.py", line 65, in handshake
status, resp = _get_resp_headers(sock)
File "/home/pat/dev/python/kube/lib/python3.5/site-packages/websocket/_handshake.py", line 122, in _get_resp_headers
raise WebSocketBadStatusException("Handshake status %d", status)
websocket._exceptions.WebSocketBadStatusException: Handshake status 404

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "podExec.py", line 10, in
stdout=False, tty=False)
File "/home/pat/dev/python/kube/lib/python3.5/site-packages/kubernetes/client/apis/core_v1_api.py", line 907, in connect_get_namespaced_pod_exec
(data) = self.connect_get_namespaced_pod_exec_with_http_info(name, namespace, **kwargs)
File "/home/pat/dev/python/kube/lib/python3.5/site-packages/kubernetes/client/apis/core_v1_api.py", line 1012, in connect_get_namespaced_pod_exec_with_http_info
collection_formats=collection_formats)
File "/home/pat/dev/python/kube/lib/python3.5/site-packages/kubernetes/client/api_client.py", line 329, in call_api
_return_http_data_only, collection_formats, _preload_content, _request_timeout)
File "/home/pat/dev/python/kube/lib/python3.5/site-packages/kubernetes/client/api_client.py", line 153, in __call_api
_request_timeout=_request_timeout)
File "/home/pat/dev/python/kube/lib/python3.5/site-packages/kubernetes/client/api_client.py", line 355, in request
headers=headers)
File "/home/pat/dev/python/kube/lib/python3.5/site-packages/kubernetes/client/ws_client.py", line 237, in websocket_call
raise ApiException(status=0, reason=str(e))
kubernetes.client.rest.ApiException: (0)
Reason: Handshake status 404

[plee138]

Sorry, didn't notice this issue was closed. Re-posted as a new issue #144:

#144