New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warn user if Pod/Service networks will be accessed via proxy. #52792
Conversation
Hi @kad. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/ok-to-test |
flakes of test infra :( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/assign @mikedanese @timothysc @mattmoyer
/unassign
(deferring to others, not familiar with all proxy edge cases)
cmd/kubeadm/app/preflight/checks.go
Outdated
return nil, []error{err} | ||
} | ||
if proxy != nil { | ||
return []error{fmt.Errorf("Connection to %q uses proxy %q. This may lead to malfunctional cluster setup. Make sure that Pod and Services IP ranges specified correctly as exceptions in proxy configuration", subnet.CIDR, proxy)}, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lowercase first
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will fix in a moment.
cmd/kubeadm/app/preflight/checks.go
Outdated
CIDR string | ||
} | ||
|
||
func (subnet HTTPProxyCIDRCheck) Check() (warnings, errors []error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this will fail in golint
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok. will verify.
@@ -627,6 +674,9 @@ func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error { | |||
ControllerManagerExtraArgs: cfg.ControllerManagerExtraArgs, | |||
SchedulerExtraArgs: cfg.SchedulerExtraArgs, | |||
}, | |||
HTTPProxyCheck{Proto: "https", Host: cfg.API.AdvertiseAddress, Port: int(cfg.API.BindPort)}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this still necessary?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that is another check. (master IP address is not part of pod/service CIDR checks). Just changed order, so all proxy related warnings will be in one place and not mixed with warnings/errors of something else.
Updated. |
/assign @mikedanese @timothysc @mattmoyer |
@mikedanese @timothysc @mattmoyer can we make it retested and if there is no objections merged into master ? |
/retest |
return nil, []error{err} | ||
} | ||
if proxy != nil { | ||
return []error{fmt.Errorf("connection to %q uses proxy %q. This may lead to malfunctional cluster setup. Make sure that Pod and Services IP ranges specified correctly as exceptions in proxy configuration", subnet.CIDR, proxy)}, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm struggling to see why this is always an error and how we ensure we don't get false positives.
Would it be possible to add test cases here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will produce warning, not error. Test case potentially possible, just need to be careful with set/unset environment variables during test.
@timothysc updated with added test case for CIDRs both in IPv4 and IPv6 format. |
/test pull-kubernetes-unit |
ff218d3
to
a0fa6f4
Compare
Something is in really weird state: net/http.ProxyFromEnvironment() inside CI somehow always return |
ProxyFromEnvironment doesn't react to changes in the env once it has been called once. see |
Thanks @liggitt, that seems to be reason. Strange thing that I'm not able to get similar result locally. But anyway, will try to find other way to implement unit test for this change. |
In environments where HTTP proxies are used, it is important to whitelist Pod and Services network ranges in the NO_PROXY variable, so cluster will be properly operational.
@timothysc PR updated with unit test that is compatible with CI. Unfortunately within CI it is not really useful as initialized environment has no proxy set and this is cached by http.ProxyFromEnvironment. In such scenarios, where unit test detects that http.ProxyFromEnvironment will not return expected result, it will skip test. Locally, test produces this:
kad@kad:/work/go/src/k8s.io/kubernetes> env -i PATH=$PATH GOPATH=$GOPATH GOROOT=$GOROOT make test WHAT=./cmd/kubeadm/app/preflight/ GOFLAGS=-v
Running tests for APIVersion: v1,admissionregistration.k8s.io/v1alpha1,admission.k8s.io/v1alpha1,apps/v1beta1,apps/v1beta2,apps/v1,authentication.k8s.io/v1,authentication.k8s.io/v1beta1,authorization.k8s.io/v1,authorization.k8s.io/v1beta1,autoscaling/v1,autoscaling/v2beta1,batch/v1,batch/v1beta1,batch/v2alpha1,certificates.k8s.io/v1beta1,extensions/v1beta1,imagepolicy.k8s.io/v1alpha1,networking.k8s.io/v1,policy/v
1beta1,rbac.authorization.k8s.io/v1,rbac.authorization.k8s.io/v1beta1,rbac.authorization.k8s.io/v1alpha1,scheduling.k8s.io/v1alpha1,settings.k8s.io/v1alpha1,storage.k8s.io/v1beta1,storage.k8s.io/v1,,federatio
n/v1beta1
+++ [1015 12:13:52] Running tests without code coverage
=== RUN TestRunInitMasterChecks
--- PASS: TestRunInitMasterChecks (0.00s)
=== RUN TestRunJoinNodeChecks
--- PASS: TestRunJoinNodeChecks (0.00s)
=== RUN TestRunChecks
--- PASS: TestRunChecks (0.00s)
=== RUN TestConfigRootCAs
--- PASS: TestConfigRootCAs (0.00s)
=== RUN TestConfigCertAndKey
--- PASS: TestConfigCertAndKey (0.00s)
=== RUN TestKubernetesVersionCheck
--- PASS: TestKubernetesVersionCheck (0.00s)
=== RUN TestHTTPProxyCIDRCheck
--- PASS: TestHTTPProxyCIDRCheck (0.00s)
checks_test.go:483: Saved environment: map[no_proxy:127.0.0.1,localhost]
checks_test.go:503: http.ProxyFromEnvironment is usable, continue executing test
=== RUN TestGetKubeletVersion
--- PASS: TestGetKubeletVersion (0.00s)
PASS
ok k8s.io/kubernetes/cmd/kubeadm/app/preflight 0.052s
kad@kad:/work/go/src/k8s.io/kubernetes> make test WHAT=./cmd/kubeadm/app/preflight/ GOFLAGS=-v
Running tests for APIVersion: v1,admissionregistration.k8s.io/v1alpha1,admission.k8s.io/v1alpha1,apps/v1beta1,apps/v1beta2,apps/v1,authentication.k8s.io/v1,authentication.k8s.io/v1beta1,authorization.k8s.io/v
1,authorization.k8s.io/v1beta1,autoscaling/v1,autoscaling/v2beta1,batch/v1,batch/v1beta1,batch/v2alpha1,certificates.k8s.io/v1beta1,extensions/v1beta1,imagepolicy.k8s.io/v1alpha1,networking.k8s.io/v1,policy/v
1beta1,rbac.authorization.k8s.io/v1,rbac.authorization.k8s.io/v1beta1,rbac.authorization.k8s.io/v1alpha1,scheduling.k8s.io/v1alpha1,settings.k8s.io/v1alpha1,storage.k8s.io/v1beta1,storage.k8s.io/v1,,federatio
n/v1beta1
+++ [1015 12:14:10] Running tests without code coverage
=== RUN TestRunInitMasterChecks
--- PASS: TestRunInitMasterChecks (0.00s)
=== RUN TestRunJoinNodeChecks
--- PASS: TestRunJoinNodeChecks (0.00s)
=== RUN TestRunChecks
--- PASS: TestRunChecks (0.00s)
=== RUN TestConfigRootCAs
--- PASS: TestConfigRootCAs (0.00s)
=== RUN TestConfigCertAndKey
--- PASS: TestConfigCertAndKey (0.00s)
=== RUN TestKubernetesVersionCheck
--- PASS: TestKubernetesVersionCheck (0.00s)
=== RUN TestHTTPProxyCIDRCheck
--- PASS: TestHTTPProxyCIDRCheck (0.00s)
checks_test.go:483: Saved environment: map[NO_PROXY:localhost,127.0.0.1,.fi.corp.com http_proxy:http://proxy.corp.com:911 ftp_proxy:http://proxy.corp.com:911 socks_proxy: gopher_proxy:
SOCKS_PROXY: https_proxy:http://proxy.corp.com:911 no_proxy:127.0.0.1,localhost]
checks_test.go:503: http.ProxyFromEnvironment is usable, continue executing test
=== RUN TestGetKubeletVersion
--- PASS: TestGetKubeletVersion (0.00s)
PASS
ok k8s.io/kubernetes/cmd/kubeadm/app/preflight 0.052s
kad@kad:/work/go/src/k8s.io/kubernetes> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't review this in detail, but trust the earlier reviewers
/approve no-issue
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kad, luxas, timothysc Associated issue requirement bypassed by: luxas The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/test pull-kubernetes-e2e-gce |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
In environments where HTTP proxies are used, it is important
to whitelist Pod and Services network ranges in the NO_PROXY
variable, so cluster will be properly operational.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged): fixes #Special notes for your reviewer:
Release note: