New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requests proxied from API Server to APIService obfuscate original request hostname #107435
Comments
/sig api-machinery |
IIUIC the header is added by this roundtripper
The roundtripper is added in kubernetes/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go Lines 239 to 241 in a0dfd95
by
I think you are right, but my naive question is, is there any value in the ping @liggitt for historical context, the code seems to have more than 7 years |
The scenario that I can think of where this matters is for an APIService that needs to generate a URL that the client can understand. That's what I was trying to do but I'll readily admit that it was a niche scenario. The blocking issue is that the server has no knowledge what host values are routable for the client. The APIService only sees the internally routable hostname (in this case the ClusterIP of its own service) which isn't meaningful outside the cluster. |
Tracked back to original addition here: https://github.com/kubernetes/kubernetes/pull/3612/files The original motivation was a lot like what you described, though the main use I'm aware of at the time was for backing pods returning html pages to browser-based applications. That was never very successful, and dropped off sharply when basic auth support was removed. Additionally, there's no guarantee the API host is the one the client contacted, so even if the API server forwarded the request host, that may or may not be the original one the client contacted, right? |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
FWIW I don't see any reason not to fix this? It'd be reasonable to set X-Forwarded-Host to the Host value from the original request, I think. Regardless of whether that e.g. names an apiserver or a load balancer. If we're setting both to the same thing that clearly seems like a bug. |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
@k8s-triage-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/reopen |
@lavalamp: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
…served via the api-gw currently due to k8s apiserver issue: kubernetes/kubernetes#107435 it modifies the x-forwarded-host and the k8sapiserver also rewrites the html response and updates href section removing the rewrite from k8s apiserver(staging/src/k8s.io/apimachinery/pkg/util/proxy/transport.go) file and running make release-image locally pushed the result image to gcr.io/nsx-sm bumping up tag for nexus runtime Closes NPT-656 See merge request nsx-allspark_users/nexus-sdk/cli!174
…served via the api-gw currently due to k8s apiserver issue: kubernetes/kubernetes#107435 it modifies the x-forwarded-host and the k8sapiserver also rewrites the html response and updates href section removing the rewrite from k8s apiserver(staging/src/k8s.io/apimachinery/pkg/util/proxy/transport.go) file and running make release-image locally pushed the result image to gcr.io/nsx-sm bumping up tag for nexus runtime Closes NPT-656 See merge request nsx-allspark_users/nexus-sdk/cli!174
…served via the api-gw currently due to k8s apiserver issue: kubernetes/kubernetes#107435 it modifies the x-forwarded-host and the k8sapiserver also rewrites the html response and updates href section removing the rewrite from k8s apiserver(staging/src/k8s.io/apimachinery/pkg/util/proxy/transport.go) file and running make release-image locally pushed the result image to gcr.io/nsx-sm Closes NPT-656 See merge request nsx-allspark_users/nexus-sdk/nexus-runtime-manifests!33
…served via the api-gw currently due to k8s apiserver issue: kubernetes/kubernetes#107435 it modifies the x-forwarded-host and the k8sapiserver also rewrites the html response and updates href section removing the rewrite from k8s apiserver(staging/src/k8s.io/apimachinery/pkg/util/proxy/transport.go) file and running make release-image locally pushed the result image to gcr.io/nsx-sm Closes NPT-656 See merge request nsx-allspark_users/nexus-sdk/nexus-runtime-manifests!33
This issue has not been updated in over 1 year, and should be re-triaged. You can:
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/ /remove-triage accepted |
What happened?
Requests that are proxied by the APIServer to a custom APIService (aggregation) don't generate the
X-Forwarded-Host
header correctly. Each request will have bothHost
andX-Forwarded-Host
set to ClusterIP IP address of their service.X-Forwarded-Host
should be set to the originalHost
value sent by the client.The result is that the APIService will not be able to determine the original host and scheme used to make the request. An APIService that wants to generate URLs that are routable for an external client cannot do so.
As an example here's some network psuedocode that reflects what I observe:
Client makes an HTTP request to the API Server using a public API Server endpoint. Let's say
mycluster.mycloud.net:6443
.Initial request:
This is routed to aggregation layer of the API Server which then reverse-proxies the request. In this case the APIService is using a ClusterIP service, which happens to have Cluster IP
10.43.176.179
.Request received by APIService:
The thing I am saying is the bug is that
X-Forwarded-Host
is10.43.176.179:443
when it should bemycluster.mycloud.net:6443
.What did you expect to happen?
I would expect
X-Forwarded-Host
to reflect the original hostname.Expected: (request sent to APIService)
Actual: (request sent to APIService)
How can we reproduce it (as minimally and precisely as possible)?
I have put together a sample that demonstrates this by echoing the values it observes for the
Host
andX-Forwarded-Host
headers:src/
and editdeploy.yaml
to use yoursrun:
run:
You should see:
run:
run:
you should see something like (you will have different IP addresses):
Based on this repro (
kubectl proxy
) I would expect127.0.0.1:8001
to be the value ofX-Forwarded-Host
run:
you should see:
Note that your value for CLUSTER-IP should match the IP addresses from step 6. This confirms that the APIServer proxy is using the downstream value for
X-Forwarded-Host
instead of the original value.Based on this repro (
kubectl proxy
) I would expect127.0.0.1:8001
to be the value ofX-Forwarded-Host
This issue reproduces with and without
kubectl proxy
. I chosekubectl proxy
for the repro steps here because it simpler to set up a repro.Anything else we need to know?
I suspect this root cause with this code:
https://github.com/kubernetes/kube-aggregator/blob/578a094fa7fa8cdba22411e9ab008757f3ef1cb2/pkg/apiserver/handler_proxy.go#L156
At Line 156 the a new request is created with the downstream as its destination URL
At Line 167 a roundtripper is created that understands how to rewrite host headers to match the downstream for proxying. It seems like the request should use the original host value, so that it can be rewritten by the roundtripper, not the value of the downstream.
Kubernetes version
Using k3d (have also reproduced with Kind)
Cloud provider
(n/a)
OS version
(n/a)
Install tools
(n/a)
Container runtime (CRI) and and version (if applicable)
(n/a)
Related plugins (CNI, CSI, ...) and versions (if applicable)
(n/a)
The text was updated successfully, but these errors were encountered: