New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

apiserver aggregator can not change the request.Host when access the external http service #71784

Open
KevinKingKong opened this Issue Dec 6, 2018 · 5 comments

Comments

Projects
None yet
4 participants
@KevinKingKong

KevinKingKong commented Dec 6, 2018

What happened:

When apiserver is using apiservice and service EXTERNAL-IP to access the external http service(a sample metric service),the "http request header Host" is still the apiserver's Host, causing the external http proxy services are failed to forward the request normally.

The requested link is like this, client -> apiserver -> external http proxy service -> real http service(metric service)

What you expected to happen:
Many http proxy servers handle request forwarding through the http request header Host, such as nginx。if the aggregator accesses an external http service, the original request header HOST should be request.URL.Host

How to reproduce it (as minimally and precisely as possible):

1.create apiservice and ExternalName service
2.create a http proxy server(eg.nginx) and print the "HTTP HEADER HOST" to nginx accesslog
3.try to change test-ext-adaptor.dailyevn.net DNS IP to the proxy server ip
4.access https://127.0.0.1:6443/apis/power.metrics.extender/v1alpha1/nodes
5.see nginx access log,the "HTTP HEADER HOST" is '127.0.0.1:6443' but not test-ext-adaptor.dailyevn.net:443

The following is the configuration:

[root@8c00516de625 ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.254.0.1 443/TCP 2d
power-metrics ExternalName test-ext-adaptor.dailyevn.net 2d

[root@8c00516de625 ~]# kubectl describe apiservices v1alpha1.power.metrics.extender
Name: v1alpha1.power.metrics.extenderiservices v1alpha1.power.metrics.extender
Namespace:
Labels:
Annotations:
API Version: apiregistration.k8s.io/v1
Kind: APIService
Metadata:
Creation Timestamp: 2018-11-30T07:54:23Z
Resource Version: 38765
Self Link: /apis/apiregistration.k8s.io/v1/apiservices/v1alpha1.power.metrics.extender
UID: 2702bed7-f475-11e8-a76f-02427ea09f19
Spec:
Group: power.metrics.extender
Group Priority Minimum: 1000
Insecure Skip TLS Verify: true
Service:
Name: power-metrics
Namespace: default
Version: v1alpha1
Version Priority: 15
Status:
Conditions:
Last Transition Time: 2018-12-03T05:51:12Z
Message: all checks passed
Reason: Passed
Status: True
Type: Available
Events:

Anything else we need to know?:

Environment:

  • Kubernetes version (use kubectl version):
    Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.1", GitCommit:"b1b29978270dc22fecc592ac55d903350454310a", GitTreeState:"clean", BuildDate:"2018-11-30T07:43:21Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}
    Server Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.0-alpha.0.2304+d08e68e75974eb", GitCommit:"d08e68e75974eb31fd65422c969b352ed8397edc", GitTreeState:"clean", BuildDate:"2018-11-30T16:20:19Z", GoVersion:"go1.10.4", Compiler:"gc", Platform:"linux/amd64"}
  • Cloud provider or hardware configuration:
  • OS (e.g. from /etc/os-release):
    NAME="CentOS Linux"
    VERSION="7 (Core)"
    ID="centos"
    ID_LIKE="rhel fedora"
    VERSION_ID="7"
    PRETTY_NAME="CentOS Linux 7 (Core)"
    ANSI_COLOR="0;31"
    CPE_NAME="cpe:/o:centos:centos:7"
    HOME_URL="https://www.centos.org/"
    BUG_REPORT_URL="https://bugs.centos.org/"
    CENTOS_MANTISBT_PROJECT="CentOS-7"
    CENTOS_MANTISBT_PROJECT_VERSION="7"
    REDHAT_SUPPORT_PRODUCT="centos"
    REDHAT_SUPPORT_PRODUCT_VERSION="7"
  • Kernel (e.g. uname -a):
    Linux 2a9cd2f00c15 4.9.87-linuxkit-aufs #1 SMP Wed Mar 14 15:12:16 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
  • Install tools:
  • Others:

/kind bug

@KevinKingKong

This comment has been minimized.

KevinKingKong commented Dec 6, 2018

/sig api-machinery

@lavalamp

This comment has been minimized.

Member

lavalamp commented Dec 6, 2018

/assign @yliaog

@yliaog

This comment has been minimized.

Contributor

yliaog commented Dec 8, 2018

so test-ext-adaptor.dailyevn.net is the proxy server, and from its access log, you see the req header is "127.0.0.1:6443", which is the apiserver's host.

It seems that is working as expected. i.e, when apiserver sends the request to the proxy server, the req header should be apiserver's host. it cannot be the proxy server's host.

Am I missing something here?

@KevinKingKong

This comment has been minimized.

KevinKingKong commented Dec 8, 2018

@yliaog Thanks for your reply。Apiserver uses "test-ext-adaptor.dailyevn.net" to access proxy server,the http req header's Host should be "test-ext-adaptor.dailyevn.net" but is "127.0.0.1:6443",this is not conform to IETF specification(https://tools.ietf.org/html/rfc7230#section-5.4)

@yliaog

This comment has been minimized.

Contributor

yliaog commented Dec 9, 2018

Yes, i see your point. I'll take a closer look at the code today or tomorrow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment