-
Notifications
You must be signed in to change notification settings - Fork 39.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubectl proxy Strips out Authorization header #38775
Comments
This bit me as well. After some debugging it looks like the |
This PR looks relevant: #34076 |
I was bit by the opposite behaviour, when trying to utilize grafana. Connecting via the apiserver's proxy, the Authorization header is passed to Grafana. Grafana didn't recognize the token in the header, and returned a 403/401. When I was writing up the bug, I realized it was a security issue- the Authorization header was being disclosed to whatever is behind the proxy, and it occurs silently and without the user's approval. |
What I ended up doing is writing an haproxy script to set incoming Ended up working pretty well, and is trivial to do in haproxy. |
this is working as expected. "proxying" through the apiserver will not get you standard proxy behavior (preserving Authorization headers end-to-end), because the API is not being used as a standard proxy a regular proxy would:
the api server:
additionally, propagating the Authorization header sent to the API on to the backend pods is potentially dangerous, since clients would not expect pods to see their API credentials. |
I got around this by routing through an ingress:
|
Bug Report
Kubernetes version (use
kubectl version
):Environment:
uname -a
): Darwin15.5.0 Darwin Kernel Version 15.5.0: Tue Apr 19 18:36:36What happened:
I call
kubectl proxy
, and connect to my cluster.Then I attempt to communicate with my app via proxy, by using postman to send requests to:
http://localhost:8001/api/v1/proxy/namespaces/default/services/apiserver:80
My API always returns 401, due to the fact that my
Authorization
header has been stripped out of the request.What you expected to happen:
To successfully communicate with my apiserver, with my Authentication header in tact
How to reproduce it (as minimally and precisely as possible):
kc proxy
The text was updated successfully, but these errors were encountered: