Stream Translator Proxy and FallbackExecutor for WebSockets

[seans3]

• Implements StreamTranslator proxy, which forwards data from a websocket server into a SPDY client. This proxy allows incremental WebSocket communication legs. This proxy is wrapped by the TranslatingHandler, delegating to the StreamTranslator proxy if the upgrade request is WebSockets/V5.

• Implements FallbackExecutor, which first attempts a WebSocket upgrade, then fallsback to legacy SPDY.

• Adds TranslateStreamCloseWebsocketRequests feature gate, which is off by default (WebSockets is alpha). An enabled feature gate allows the StreamTranslator proxy to be delegated from the current UpgradeAware proxy for WebSockets/V5 upgrade requests.

• Adds KUBECTL_REMOTE_COMMAND_WEBSOCKETS environment variable feature gate for kubectl, which is off by default. An enabled feature gate substitutes a FallbackExecutor for the legacy SPDYExecutor.

• Merging this PR will complete alpha functionality for transitioning from SPDY to WebSocket for bi-directional streaming. When both feature gates are turned on, the communication leg from kubectl to the API Server will use the WebSocket protocol for RemoteCommand (e.g. kubectl exec, cp, and attach) instead of SPDY.

• Manually tested successfully with the following commands using the nginx pod:

  • $ ./kubectl exec nginx -- date (basic command with STDOUT)
  • $ echo "this is a test" | ./kubectl exec -i nginx -- cat (pipe STDIN to command running on container)
  • $ ./kubectl cp ~/deploy-1.yaml nginx:/ (cp file from local to container)
  • $ ./kubectl cp nginx:/product_name /tmp/product_name (cp file from container to local)
  • $ ./kubectl exec -it nginx -- bash (interactive terminal)

Example stress test for WebSocket client running through the StreamTranslator proxy testing STDIN and STDOUT streams

$ stress ./remotecommand.test -test.run TestWebSocketStreamTranslator_LoopbackStdinToStdout
5s: 4005 runs so far, 0 failures
10s: 8037 runs so far, 0 failures
15s: 12031 runs so far, 0 failures
20s: 15969 runs so far, 0 failures
25s: 19898 runs so far, 0 failures
30s: 23731 runs so far, 0 failures
35s: 27561 runs so far, 0 failures
40s: 31360 runs so far, 0 failures
45s: 35082 runs so far, 0 failures
50s: 38797 runs so far, 0 failures

/kind feature

Fixes: #89163

NONE

• KEP Transition from SPDY to WebSockets - 4006

[seans3]

/sig api-machinery
/sig cli
/priority important-soon

[seans3]

/retest

[k8s-ci-robot]

@seans3: The /retest command does not accept any targets.
The following commands are available to trigger required jobs:

• /test pull-cadvisor-e2e-kubernetes
• /test pull-kubernetes-conformance-kind-ga-only-parallel
• /test pull-kubernetes-coverage-unit
• /test pull-kubernetes-dependencies
• /test pull-kubernetes-dependencies-go-canary
• /test pull-kubernetes-e2e-gce
• /test pull-kubernetes-e2e-gce-100-performance
• /test pull-kubernetes-e2e-gce-big-performance
• /test pull-kubernetes-e2e-gce-canary
• /test pull-kubernetes-e2e-gce-cos
• /test pull-kubernetes-e2e-gce-cos-canary
• /test pull-kubernetes-e2e-gce-cos-no-stage
• /test pull-kubernetes-e2e-gce-network-proxy-http-connect
• /test pull-kubernetes-e2e-gce-scale-performance-manual
• /test pull-kubernetes-e2e-kind
• /test pull-kubernetes-e2e-kind-ipv6
• /test pull-kubernetes-integration
• /test pull-kubernetes-integration-go-canary
• /test pull-kubernetes-kubemark-e2e-gce-scale
• /test pull-kubernetes-node-e2e-containerd
• /test pull-kubernetes-typecheck
• /test pull-kubernetes-unit
• /test pull-kubernetes-unit-go-canary
• /test pull-kubernetes-update
• /test pull-kubernetes-verify
• /test pull-kubernetes-verify-go-canary

The following commands are available to trigger optional jobs:

• /test check-dependency-stats
• /test pull-ci-kubernetes-unit-windows
• /test pull-crio-cgroupv1-node-e2e-eviction
• /test pull-crio-cgroupv1-node-e2e-features
• /test pull-crio-cgroupv1-node-e2e-hugepages
• /test pull-crio-cgroupv1-node-e2e-resource-managers
• /test pull-e2e-gce-cloud-provider-disabled
• /test pull-kubernetes-conformance-image-test
• /test pull-kubernetes-conformance-kind-ga-only
• /test pull-kubernetes-conformance-kind-ipv6-parallel
• /test pull-kubernetes-cos-cgroupv1-containerd-node-e2e
• /test pull-kubernetes-cos-cgroupv1-containerd-node-e2e-features
• /test pull-kubernetes-cos-cgroupv2-containerd-node-e2e
• /test pull-kubernetes-cos-cgroupv2-containerd-node-e2e-eviction
• /test pull-kubernetes-cos-cgroupv2-containerd-node-e2e-features
• /test pull-kubernetes-cos-cgroupv2-containerd-node-e2e-serial
• /test pull-kubernetes-crio-node-memoryqos-cgrpv2
• /test pull-kubernetes-cross
• /test pull-kubernetes-e2e-autoscaling-hpa-cm
• /test pull-kubernetes-e2e-autoscaling-hpa-cpu
• /test pull-kubernetes-e2e-capz-azure-disk
• /test pull-kubernetes-e2e-capz-azure-disk-vmss
• /test pull-kubernetes-e2e-capz-azure-file
• /test pull-kubernetes-e2e-capz-azure-file-vmss
• /test pull-kubernetes-e2e-capz-conformance
• /test pull-kubernetes-e2e-capz-windows-alpha-feature-vpa
• /test pull-kubernetes-e2e-capz-windows-alpha-features
• /test pull-kubernetes-e2e-capz-windows-master
• /test pull-kubernetes-e2e-capz-windows-serial-slow-hpa
• /test pull-kubernetes-e2e-containerd-gce
• /test pull-kubernetes-e2e-ec2
• /test pull-kubernetes-e2e-ec2-arm64
• /test pull-kubernetes-e2e-ec2-conformance
• /test pull-kubernetes-e2e-ec2-conformance-arm64
• /test pull-kubernetes-e2e-gce-correctness
• /test pull-kubernetes-e2e-gce-cos-alpha-features
• /test pull-kubernetes-e2e-gce-cos-kubetest2
• /test pull-kubernetes-e2e-gce-csi-serial
• /test pull-kubernetes-e2e-gce-device-plugin-gpu
• /test pull-kubernetes-e2e-gce-kubelet-credential-provider
• /test pull-kubernetes-e2e-gce-network-proxy-grpc
• /test pull-kubernetes-e2e-gce-serial
• /test pull-kubernetes-e2e-gce-storage-disruptive
• /test pull-kubernetes-e2e-gce-storage-slow
• /test pull-kubernetes-e2e-gce-storage-snapshot
• /test pull-kubernetes-e2e-gci-gce-autoscaling
• /test pull-kubernetes-e2e-gci-gce-ingress
• /test pull-kubernetes-e2e-gci-gce-ipvs
• /test pull-kubernetes-e2e-inplace-pod-resize-containerd-main-v2
• /test pull-kubernetes-e2e-kind-alpha-beta-features
• /test pull-kubernetes-e2e-kind-alpha-features
• /test pull-kubernetes-e2e-kind-beta-features
• /test pull-kubernetes-e2e-kind-canary
• /test pull-kubernetes-e2e-kind-dual-canary
• /test pull-kubernetes-e2e-kind-ipv6-canary
• /test pull-kubernetes-e2e-kind-ipvs-dual-canary
• /test pull-kubernetes-e2e-kind-kms
• /test pull-kubernetes-e2e-kind-multizone
• /test pull-kubernetes-e2e-kops-aws
• /test pull-kubernetes-e2e-storage-kind-disruptive
• /test pull-kubernetes-e2e-ubuntu-gce-network-policies
• /test pull-kubernetes-integration-eks
• /test pull-kubernetes-kind-dra
• /test pull-kubernetes-kind-json-logging
• /test pull-kubernetes-kind-text-logging
• /test pull-kubernetes-kubemark-e2e-gce-big
• /test pull-kubernetes-linter-hints
• /test pull-kubernetes-local-e2e
• /test pull-kubernetes-node-arm64-e2e-containerd-ec2
• /test pull-kubernetes-node-arm64-e2e-containerd-serial-ec2
• /test pull-kubernetes-node-arm64-ubuntu-serial-gce
• /test pull-kubernetes-node-crio-cgrpv1-evented-pleg-e2e
• /test pull-kubernetes-node-crio-cgrpv2-e2e
• /test pull-kubernetes-node-crio-cgrpv2-e2e-kubetest2
• /test pull-kubernetes-node-crio-e2e
• /test pull-kubernetes-node-crio-e2e-kubetest2
• /test pull-kubernetes-node-e2e-containerd-1-7-dra
• /test pull-kubernetes-node-e2e-containerd-alpha-features
• /test pull-kubernetes-node-e2e-containerd-ec2
• /test pull-kubernetes-node-e2e-containerd-features
• /test pull-kubernetes-node-e2e-containerd-features-kubetest2
• /test pull-kubernetes-node-e2e-containerd-kubetest2
• /test pull-kubernetes-node-e2e-containerd-serial-ec2
• /test pull-kubernetes-node-e2e-containerd-sidecar-containers
• /test pull-kubernetes-node-e2e-containerd-standalone-mode
• /test pull-kubernetes-node-e2e-containerd-standalone-mode-all-alpha
• /test pull-kubernetes-node-e2e-crio-dra
• /test pull-kubernetes-node-kubelet-credential-provider
• /test pull-kubernetes-node-kubelet-serial-containerd
• /test pull-kubernetes-node-kubelet-serial-containerd-alpha-features
• /test pull-kubernetes-node-kubelet-serial-containerd-kubetest2
• /test pull-kubernetes-node-kubelet-serial-containerd-sidecar-containers
• /test pull-kubernetes-node-kubelet-serial-cpu-manager
• /test pull-kubernetes-node-kubelet-serial-cpu-manager-kubetest2
• /test pull-kubernetes-node-kubelet-serial-crio-cgroupv1
• /test pull-kubernetes-node-kubelet-serial-crio-cgroupv2
• /test pull-kubernetes-node-kubelet-serial-hugepages
• /test pull-kubernetes-node-kubelet-serial-memory-manager
• /test pull-kubernetes-node-kubelet-serial-pod-disruption-conditions
• /test pull-kubernetes-node-kubelet-serial-topology-manager
• /test pull-kubernetes-node-kubelet-serial-topology-manager-kubetest2
• /test pull-kubernetes-node-swap-fedora
• /test pull-kubernetes-node-swap-fedora-serial
• /test pull-kubernetes-node-swap-ubuntu-serial
• /test pull-kubernetes-unit-experimental
• /test pull-kubernetes-verify-lint
• /test pull-publishing-bot-validate

Use /test all to run the following jobs that were automatically triggered:

• pull-kubernetes-conformance-kind-ga-only-parallel
• pull-kubernetes-conformance-kind-ipv6-parallel
• pull-kubernetes-dependencies
• pull-kubernetes-e2e-ec2
• pull-kubernetes-e2e-ec2-conformance
• pull-kubernetes-e2e-gce
• pull-kubernetes-e2e-gce-cos-alpha-features
• pull-kubernetes-e2e-kind
• pull-kubernetes-e2e-kind-ipv6
• pull-kubernetes-integration
• pull-kubernetes-linter-hints
• pull-kubernetes-node-e2e-containerd
• pull-kubernetes-typecheck
• pull-kubernetes-unit
• pull-kubernetes-verify
• pull-kubernetes-verify-lint

In response to this:

/retest pull-kubernetes-e2e-gce

...unrelated error:```
{ failed [FAILED] expected error when trying to connect to NodePort address
Expected an error to have occurred. Got:
: nil
In [It] at: test/e2e/network/service.go:2146 @ 10/22/23 00:33:47.407
}

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[seans3]

/test pull-kubernetes-e2e-gce

...unrelated error:

{ failed [FAILED] expected error when trying to connect to NodePort address
Expected an error to have occurred.  Got:
    <nil>: nil
In [It] at: test/e2e/network/service.go:2146 @ 10/22/23 00:33:47.407
}

[seans3]

/retest

...unrelated test failure for required test

{ failed [FAILED] Failed waiting for PVC to be bound PersistentVolumeClaims [pvc-568st] not all in phase Bound within 3m0s: PersistentVolumeClaims [pvc-568st] not all in phase Bound within 3m0s
In [It] at: test/e2e/storage/pv_protection.go:118 @ 10/23/23 01:04:31.037
}

[liggitt]

#119186 (comment) is my only remaining comment, lgtm otherwise

[liggitt]

is the fallback e2e running in the alpha job?

[seans3]

#119186 (comment) is my only remaining comment, lgtm otherwise

Fixed

[seans3]

is the fallback e2e running in the alpha job?

Apparently it is not running in the pull-kubernetes-e2e-gce-cos-alpha-features job

Kubernetes e2e suite: [It] [sig-cli] Kubectl client Simple pod should support inline execution and attach with websockets or fallback to spdy [sig-cli]Reason: skipped | 0s
-- | --

But it is running in the pull-kubernetes-e2e-gce job, which is exercising the fallback capability, because the kubectl env variable is being set for this test.

Kubernetes e2e suite: [It] [sig-cli] Kubectl client Simple pod should support inline execution and attach with websockets or fallback to spdy [sig-cli] | 1m10s
-- | --

[seans3]

/retest

...unrelated test failure in required test.

[seans3]

/retest

...unrelated test failure in required test

{Failed;  === RUN   Test_ValidatingAdmissionPolicy_MatchWithExcludeResources

[aojea]

But it is running in the pull-kubernetes-e2e-gce job, which is exercising the fallback capability, because the kubectl env variable is being set for this test.

yeah, the thing is that this test has to pass always, independent of the feature flag or not, because it has fallback

[aojea]

/lgtm

go go go

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: daff9aa59a28efad0c7d296cea96399112f9612c

[liggitt]

is the fallback e2e running in the alpha job?

Apparently it is not running in the pull-kubernetes-e2e-gce-cos-alpha-features job

Kubernetes e2e suite: [It] [sig-cli] Kubectl client Simple pod should support inline execution and attach with websockets or fallback to spdy [sig-cli]Reason: skipped | 0s
-- | --

But it is running in the pull-kubernetes-e2e-gce job, which is exercising the fallback capability, because the kubectl env variable is being set for this test.

/lgtm
/approve

That's good, but we also want to exercise the server translation layer. Can we get that test to run in the alpha e2e?

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, logicalhan, seans3

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/features/OWNERS [liggitt,logicalhan,seans3]
• pkg/kubelet/server/OWNERS [liggitt]
• pkg/registry/OWNERS [liggitt]
• staging/src/k8s.io/apiextensions-apiserver/OWNERS [liggitt]
• staging/src/k8s.io/apimachinery/pkg/util/OWNERS [liggitt]
• staging/src/k8s.io/apiserver/OWNERS [liggitt]
• staging/src/k8s.io/client-go/OWNERS [liggitt]
• staging/src/k8s.io/kube-aggregator/OWNERS [liggitt]
• staging/src/k8s.io/kubectl/OWNERS [liggitt,seans3]
• staging/src/k8s.io/kubelet/OWNERS [liggitt]
• test/e2e/kubectl/OWNERS [liggitt,seans3]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

@seans3: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-kubernetes-e2e-gce	168998e	link	unknown	/test pull-kubernetes-e2e-gce

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[liggitt]

/retest