Warn user if Pod/Service networks will be accessed via proxy.

[kad]

What this PR does / why we need it:
In environments where HTTP proxies are used, it is important
to whitelist Pod and Services network ranges in the NO_PROXY
variable, so cluster will be properly operational.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

Release note:

- kubeadm  will warn users if access to IP ranges for Pods or Services will be done via HTTP proxy.

[k8s-ci-robot]

Hi @kad. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[xiangpengzhao]

/ok-to-test

[kad]

flakes of test infra :(

[luxas]

/assign @mikedanese @timothysc @mattmoyer
/unassign
(deferring to others, not familiar with all proxy edge cases)

[luxas]

lowercase first

[kad]

will fix in a moment.

[luxas]

this will fail in golint

[kad]

ok. will verify.

[luxas]

is this still necessary?

[kad]

Yes, that is another check. (master IP address is not part of pod/service CIDR checks). Just changed order, so all proxy related warnings will be in one place and not mixed with warnings/errors of something else.

[kad]

Updated.

[luxas]

/assign @mikedanese @timothysc @mattmoyer
/unassign
(didn't work in review comment it seems)

[kad]

@mikedanese @timothysc @mattmoyer can we make it retested and if there is no objections merged into master ?

[kad]

/retest

[timothysc]

I'm struggling to see why this is always an error and how we ensure we don't get false positives.

Would it be possible to add test cases here?

[kad]

It will produce warning, not error. Test case potentially possible, just need to be careful with set/unset environment variables during test.

[kad]

@timothysc updated with added test case for CIDRs both in IPv4 and IPv6 format.

[kad]

/test pull-kubernetes-unit

[kad]

Something is in really weird state: net/http.ProxyFromEnvironment() inside CI somehow always return nil, nil regardless of URLs or environment variables. Exactly same tests happily passing locally.

[liggitt]

ProxyFromEnvironment doesn't react to changes in the env once it has been called once. see envOnce. CI tests the entire tree, and something else probably calls ProxyFromEnvironment prior to your package

[kad]

Thanks @liggitt, that seems to be reason. Strange thing that I'm not able to get similar result locally. But anyway, will try to find other way to implement unit test for this change.

[kad]

@timothysc PR updated with unit test that is compatible with CI. Unfortunately within CI it is not really useful as initialized environment has no proxy set and this is cached by http.ProxyFromEnvironment. In such scenarios, where unit test detects that http.ProxyFromEnvironment will not return expected result, it will skip test. Locally, test produces this:

• Empty environment:

kad@kad:/work/go/src/k8s.io/kubernetes> env -i PATH=$PATH GOPATH=$GOPATH GOROOT=$GOROOT make test WHAT=./cmd/kubeadm/app/preflight/ GOFLAGS=-v
Running tests for APIVersion: v1,admissionregistration.k8s.io/v1alpha1,admission.k8s.io/v1alpha1,apps/v1beta1,apps/v1beta2,apps/v1,authentication.k8s.io/v1,authentication.k8s.io/v1beta1,authorization.k8s.io/v1,authorization.k8s.io/v1beta1,autoscaling/v1,autoscaling/v2beta1,batch/v1,batch/v1beta1,batch/v2alpha1,certificates.k8s.io/v1beta1,extensions/v1beta1,imagepolicy.k8s.io/v1alpha1,networking.k8s.io/v1,policy/v
1beta1,rbac.authorization.k8s.io/v1,rbac.authorization.k8s.io/v1beta1,rbac.authorization.k8s.io/v1alpha1,scheduling.k8s.io/v1alpha1,settings.k8s.io/v1alpha1,storage.k8s.io/v1beta1,storage.k8s.io/v1,,federatio
n/v1beta1
+++ [1015 12:13:52] Running tests without code coverage
=== RUN   TestRunInitMasterChecks
--- PASS: TestRunInitMasterChecks (0.00s)
=== RUN   TestRunJoinNodeChecks
--- PASS: TestRunJoinNodeChecks (0.00s)
=== RUN   TestRunChecks
--- PASS: TestRunChecks (0.00s)
=== RUN   TestConfigRootCAs
--- PASS: TestConfigRootCAs (0.00s)
=== RUN   TestConfigCertAndKey
--- PASS: TestConfigCertAndKey (0.00s)
=== RUN   TestKubernetesVersionCheck
--- PASS: TestKubernetesVersionCheck (0.00s)
=== RUN   TestHTTPProxyCIDRCheck
--- PASS: TestHTTPProxyCIDRCheck (0.00s)
        checks_test.go:483: Saved environment:  map[no_proxy:127.0.0.1,localhost]
        checks_test.go:503: http.ProxyFromEnvironment is usable, continue executing test
=== RUN   TestGetKubeletVersion
--- PASS: TestGetKubeletVersion (0.00s)
PASS
ok      k8s.io/kubernetes/cmd/kubeadm/app/preflight     0.052s

• My environment where corporate proxies are used and defined in *_proxy

kad@kad:/work/go/src/k8s.io/kubernetes> make test WHAT=./cmd/kubeadm/app/preflight/ GOFLAGS=-v
Running tests for APIVersion: v1,admissionregistration.k8s.io/v1alpha1,admission.k8s.io/v1alpha1,apps/v1beta1,apps/v1beta2,apps/v1,authentication.k8s.io/v1,authentication.k8s.io/v1beta1,authorization.k8s.io/v
1,authorization.k8s.io/v1beta1,autoscaling/v1,autoscaling/v2beta1,batch/v1,batch/v1beta1,batch/v2alpha1,certificates.k8s.io/v1beta1,extensions/v1beta1,imagepolicy.k8s.io/v1alpha1,networking.k8s.io/v1,policy/v
1beta1,rbac.authorization.k8s.io/v1,rbac.authorization.k8s.io/v1beta1,rbac.authorization.k8s.io/v1alpha1,scheduling.k8s.io/v1alpha1,settings.k8s.io/v1alpha1,storage.k8s.io/v1beta1,storage.k8s.io/v1,,federatio
n/v1beta1
+++ [1015 12:14:10] Running tests without code coverage
=== RUN   TestRunInitMasterChecks
--- PASS: TestRunInitMasterChecks (0.00s)
=== RUN   TestRunJoinNodeChecks
--- PASS: TestRunJoinNodeChecks (0.00s)
=== RUN   TestRunChecks
--- PASS: TestRunChecks (0.00s)
=== RUN   TestConfigRootCAs
--- PASS: TestConfigRootCAs (0.00s)
=== RUN   TestConfigCertAndKey
--- PASS: TestConfigCertAndKey (0.00s)
=== RUN   TestKubernetesVersionCheck
--- PASS: TestKubernetesVersionCheck (0.00s)
=== RUN   TestHTTPProxyCIDRCheck
--- PASS: TestHTTPProxyCIDRCheck (0.00s)
        checks_test.go:483: Saved environment:  map[NO_PROXY:localhost,127.0.0.1,.fi.corp.com http_proxy:http://proxy.corp.com:911 ftp_proxy:http://proxy.corp.com:911 socks_proxy: gopher_proxy:
 SOCKS_PROXY: https_proxy:http://proxy.corp.com:911 no_proxy:127.0.0.1,localhost]
        checks_test.go:503: http.ProxyFromEnvironment is usable, continue executing test
=== RUN   TestGetKubeletVersion
--- PASS: TestGetKubeletVersion (0.00s)
PASS
ok      k8s.io/kubernetes/cmd/kubeadm/app/preflight     0.052s
kad@kad:/work/go/src/k8s.io/kubernetes>

[timothysc]

/lgtm

[luxas]

I didn't review this in detail, but trust the earlier reviewers

/approve no-issue

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kad, luxas, timothysc

Associated issue requirement bypassed by: luxas

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• cmd/kubeadm/OWNERS [luxas]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[kad]

/test pull-kubernetes-e2e-gce

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.