New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
grpc: set localhost Authority to unix client calls #112597
Conversation
Several reports exist (both with device plugins and CSI) that kubelet w/ grpc-go sends invalid Authority header and some non grpc-go servers reject these unix domain socket client connections. grpc-go sets the Authority header correct when the dial address is in a format where the its address scheme can be determined. Instead of making changes to get the all server addresses to unix:// prefixed format, set grpc.WithAuthority("localhost") client connection override to get the same result. Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Hi @mythi. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/ok-to-test |
/lgtm I agree that this approach is more sensible than trying to adapt all paths. |
/approve for kubelet |
I wonder if we need to do the same for CRI as well. We do not set authority there either. |
/priority important-longterm |
AFAIK the CRI endoints are forced to use |
/assign @xing-yang For approval. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
@xing-yang does this look OK to you? |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jsafrane, klueska, mythi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Some non grpc-go servers fail with "protocol error" when contacted by KubeVirt's gRPC client. The suspected cause is that grpc-go sends invalid Authority headers when using unix domain sockets. This issue prevents implementation of hook sidecars in other languages, such as Go with its Tonic library. A similar issue was encountered in Kubernetes [1], where it was solved by explicitly setting the Authority header. This patch uses the same approach. [1] kubernetes/kubernetes#112597 Signed-off-by: Petr Horacek <hrck@protonmail.com>
Some non grpc-go servers fail with "protocol error" when contacted by KubeVirt's gRPC client. The suspected cause is that grpc-go sends invalid Authority headers when using unix domain sockets. This issue prevents implementation of hook sidecars in other languages, such as Go with its Tonic library. A similar issue was encountered in Kubernetes [1], where it was solved by explicitly setting the Authority header. This patch uses the same approach. [1] kubernetes/kubernetes#112597 Signed-off-by: Petr Horacek <hrck@protonmail.com>
Some non grpc-go servers fail with "protocol error" when contacted by KubeVirt's gRPC client. The suspected cause is that grpc-go sends invalid Authority headers when using unix domain sockets. This issue prevents implementation of hook sidecars in other languages, such as Go with its Tonic library. A similar issue was encountered in Kubernetes [1], where it was solved by explicitly setting the Authority header. This patch uses the same approach. [1] kubernetes/kubernetes#112597 Signed-off-by: Petr Horacek <hrck@protonmail.com>
Some non grpc-go servers fail with "protocol error" when contacted by KubeVirt's gRPC client. The suspected cause is that grpc-go sends invalid Authority headers when using unix domain sockets. This issue prevents implementation of hook sidecars in other languages, such as Go with its Tonic library. A similar issue was encountered in Kubernetes [1], where it was solved by explicitly setting the Authority header. This patch uses the same approach. [1] kubernetes/kubernetes#112597 Signed-off-by: Petr Horacek <hrck@protonmail.com>
What type of PR is this?
/kind bug
What this PR does / why we need it:
Several reports exist (both with device plugins and CSI) that kubelet w/ grpc-go sends invalid Authority header and some non grpc-go servers reject these unix domain socket client connections.
grpc-go sets the Authority header correct when the dial address is in a format where the its address scheme can be determined.
Instead of making changes to get the all server addresses to unix:// prefixed format, set
grpc.WithAuthority("localhost")
client connection override to get the same result.Which issue(s) this PR fixes:
Fixes #107093
Fixes #109081
Fixes #108254
Closes #109559
Special notes for your reviewer:
The alternative approach could be to ensure all addresses are sanitized and set to use
unix://
scheme:TrimPrefix()
+Snprintf()
.Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: