New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
node.Name/minion.Name should not be used as an address #2462
Comments
/cc @ddysher |
Thanks for the suggestion! We currently assume minion.Name can be resolved.. and we also do not respect the HostIP field, even if we say so (not 100% sure about this). I'll take a look.
|
I have a fix for this buried in #3171 I don't know that I've caught all places where the Name==endpoint assumption existed, but basic functionality seems to be working for me. |
We really need to have both external and internal IP in the cloud provider --brendan On Mon, Dec 29, 2014 at 9:50 PM, Angus Lees notifications@github.com
|
Dup of now-fixed #4384 |
Alas, the bug is not yet fixed. We now have both internal and external addresses from the cloud provider, but those addresses are not being used in many places. For example, see code like: https://github.com/GoogleCloudPlatform/kubernetes/blob/a8f2cee8c5418676ee33a311fad57d6821d3d29a/pkg/registry/minion/rest.go#L147 |
correct, it's not used right now. #4434 is one step toward the goal. Replacing node.Name with different ip address involves more than just a field replace though. |
CJ, I think you're closest to which IP address is being used? Also, hardening master<->kubelet communication might fix this as part of cert validation and proxy functions? |
And can you please update title with actual remaining issues? |
Btw (and apologies if this is obvious), when changing Name -> IP in URLs, we need to also use net.JoinHostPort() because some of those IP literals might be IPv6 and need special quoting. A simple |
Definitely was not obvious to me. Thank you for pointing that out. |
We would also like an indicator of which node addresses are signed by the certificate on the node, so that we will be able to establish a secured TLS connection when contacting the node. |
#9155 removed the last place (that I could find) where we were using node.Name as an address. |
Most of our communications from apiserver -> nodes used nodutil.GetNodeHostIP, but a few places didn't - and this meant that the node name needed to be resolvable _and_ we needed to populate valid IP addresses. Fix the last few places that used the NodeName. Issue kubernetes#18525 Issue kubernetes#9451 Issue kubernetes#9728 Issue kubernetes#17643 Issue kubernetes#11543 Issue kubernetes#22063 Issue kubernetes#2462 Issue kubernetes#22109 Issue kubernetes#22770 Issue kubernetes#32286
According to my git grepping, the cloudprovider.Instances().IPAddress() function is only used when finding pod hosts (ie: pod.getInstanceIP()), not when finding minion addresses (ie: minion.ResourceLocation()) for healthchecking, etc.
The result is that my (openstack) cloudprovider is called to find minions and returns a list of "names". These names are neither literal IPs nor DNS names, so minion.ResourceLocation turns them into URLs that later fail to resolve, and the new minions never pass health checks.
I suggest minion.ResourceLocation should use code very much like pod.getInstanceIP to do name->address mapping via the cloudprovider plugin. This would presumably involve moving getInstanceIP out into a common library/singleton somewhere so both callers can benefit from a shared cache (see getInstanceIP).
The text was updated successfully, but these errors were encountered: