Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kubectl does not send Authorization header (or use specified auth plugin) over plain HTTP #744

Closed
ahmetb opened this issue Oct 24, 2019 · 3 comments
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@ahmetb
Copy link
Member

ahmetb commented Oct 24, 2019

I have a GKE cluster kubeconfig, so its user section looks like this:

- name: foo
  user:
    auth-provider:
      config:
        access-token: --REDACTED-REDACTED--
        cmd-args: config config-helper --format=json
        cmd-path: /Users/ahmetb/.homebrew/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/bin/gcloud
        expiry: "2019-10-24T01:33:17Z"
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp

When I snoop on kubectl requests using mitmproxy, I see the Authorization header and Bearer token sent with the requests.

Note that GKE masters use https:// with self signed certs (included in kubeconfig).

However, when I point the kubeconfig to a local server e.g. server: http://localhost:8080 with the rest of the kubeconfig same, I notice that no Authorization header is sent to the server.

I have further confirmed this by making my localhost server serve using a self-signed TLS certificate, on https://localhost:6433 and when I do that my local apiserver gets the Authorization header.

  1. Is this expected?
  2. Should this be documented? I spent a couple of hours trying to figure out why my local apiserver over http:// doesn't get Authorization header.

/kind bug

@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 24, 2019
@ahmetb
Copy link
Member Author

ahmetb commented Oct 24, 2019

Upon debugging it seems like client-go, intentionally, chooses not to read the authentication parts of the clientConfig if the server URL is not https.

https://github.com/kubernetes/kubernetes/blob/5238e1c80fea02891e1804b346d24faa7c13da07/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go#L175-L176

https://github.com/kubernetes/client-go/blob/d1b30110f1abd3b2fb21c5c2daad4345ede8a9fc/rest/config.go#L442-L454

This might be an undocumented defense against accidentally sending creds over a non-TLS connection.

@ahmetb
Copy link
Member Author

ahmetb commented Oct 30, 2019

I'll close this, since it's by design.
/close

@k8s-ci-robot
Copy link
Contributor

@ahmetb: Closing this issue.

In response to this:

I'll close this, since it's by design.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

No branches or pull requests

2 participants