-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use full URL (with cluster domain name) in admission webhook #107446
Comments
/sig api-machinery |
hmm, I think that the problem is that the apiserver doesn't have access to the cluster.domain value, since it is configured on the kubelets only, but it will be good if somebody else can confirm this
|
I just saw this in https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#webhookclientconfig-v1-admissionregistration-k8s-io for
So it looks like it is not possible to use |
can you check your apiserver configuration for |
Yes, I confirm |
@antoineozenne actually I can reproduce it. |
This comment is just for reference:
kubernetes/cmd/kube-apiserver/app/server.go Line 455 in 8cc7d14
kubernetes/cmd/kube-apiserver/app/server.go Lines 627 to 644 in 8cc7d14
kubernetes/staging/src/k8s.io/apiserver/pkg/util/webhook/client.go Lines 161 to 200 in 9c4905e
It seems (I have to confirm) golang uses the proxy on Transport, so the custom resolvers are never used because the Dialer receives the proxy URL The aggregator, however, uses an IP on the URL host kubernetes/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go Lines 144 to 152 in ea07644
|
thanks @aojea for taking a look! |
I have to narrow down this function kubernetes/staging/src/k8s.io/apimachinery/pkg/util/net/http.go Lines 112 to 114 in 45f77ca
red herring 😓 |
@antoineozenne there is a probability that removing the proxy from the webhooks no matter what can break some clusters is not possible to add |
@aojea thank you for your work! Yes, I have the possibility to add If I understand, you proposed to bypass the proxy when using Services. It seems a bit much to me. Can we naively and simply use |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
This is what I believe too. Separately, it's a frustration because it also means that we can't provide the cluster domain name to a client via the API (because the API server doesn't have that information). |
This issue has not been updated in over 1 year, and should be re-triaged. You can:
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/ /remove-triage accepted |
/triage accepted |
What happened?
My cluster is behind a corporate proxy. Using kube-prometheus-stack, the apiserver raises an error when calling the mutating/validating admission webhook with a POST on
https://kube-prometheus-stack-operator.kube-prometheus-stack.svc:443/admission-prometheusrules/validate?timeout=10s
. This is because the wildcard.svc
is not in theNO_PROXY
environment variable in the apiserver. Instead, all myNO_PROXY
environment variable contain the full cluster domain.svc.cluster.local
, because this is used in the large majority of cases.What did you expect to happen?
Can the apiserver use the full cluster domain name when calling webhooks? In my case, the URL would then be:
https://kube-prometheus-stack-operator.kube-prometheus-stack.svc.cluster.local:443/admission-prometheusrules/validate?timeout=10s
.How can we reproduce it (as minimally and precisely as possible)?
Just use an admission webhook in a cluster behind a corporate proxy.
Anything else we need to know?
I know as a workaround, we can use
url
instead ofservice
according to https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#webhookclientconfig-v1-admissionregistration-k8s-io, but it's less user-friendly and less flexible.Kubernetes version
The text was updated successfully, but these errors were encountered: