Support http proxy auth #3070
Comments
Automatic merge from submit-queue Add support for cluster using http forward proxy #2481 Adds support for running a cluster where access to external resources must be done through an http forward proxy. This adds a new element to the ClusterSpec, `EgressProxy`, and then sets up environment variables where appropriate. Access to API servers is additionally assumed to be done through the proxy, in particular this is necessary for AWS VPCs with private topology and egress by proxy (no NAT), at least until Amazon implements VPC Endpoints for the APIs. Additionally, see my notes in #2481 TODOs - [x] Consider editing files from nodeup rather than cloudup - [x] Add support for RHEL - [x] Validate on RHEL - [x] ~Add support for CoreOS~ See #3032 - [x] ~Add support for vSphere~ See #3071 - [x] Minimize services effected - [x] ~Support seperate https_proxy configuration~ See #3069 - [x] ~Remove unvalidated proxy auth support (save for future PR)~ See #3070 - [x] Add Documentation - [x] Fill in some sensible default exclusions for the user, allow the user to extend this list - [x] Address PR review comments - [x] Either require port or handle nil - [x] ~Do API validation (or file an issue for validation)~ See #3077 - [x] Add uppercase versions of proxy env vars to cover our bases - [x] ~File an issue for unit tests~ 😬 See #3072 - [x] Validate cluster upgrades and updates - [x] Remove ftp_proxy (nothing uses)
|
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
Hi, can this issue please be re-opened? |
|
I don't think it is likely that the more active maintainers will implement this before it gets closed again. If you can do a PR, we'd be happy to review though. |
|
I'm not planning on working on this, thought I doubt it'd be hard to add this feature. It may have been left out just so I didn't need to test more permutations - but it's been a while now so I don't remember. As a note, if you are considering kubernetes then likely you are planning on running a mix of workloads, with different underlying technologies and a mix on inhouse and 3rd party code. Even given kops support of http proxy, the support for http forward proxy is - across the broader landscape - inconsistent,to put it mildly. Just for one example, the way that software packages and libraries handle http proxy excludes is not consistent and not as flexible as you'll likely need. While it may be doable, over time I think you may find the work to maintain it is significant, and the security benefit provided is less and less. I'd encourage those starting new projects to look for alternative controls. For example, network policies exist and are widely supported now. Good luck in any case. |
We are adding support for running clusters behind an http (forward) proxy, where no client authentication is required to the proxy servers. While this is a common configuration, however, some users may require support for proxy authentication. This issue is being set up to track that requirement.
The text was updated successfully, but these errors were encountered: