New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warn user if Pod/Service networks will be accessed via proxy. #52792
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -40,12 +40,14 @@ import ( | |
|
||
"net/url" | ||
|
||
netutil "k8s.io/apimachinery/pkg/util/net" | ||
apiservoptions "k8s.io/kubernetes/cmd/kube-apiserver/app/options" | ||
cmoptions "k8s.io/kubernetes/cmd/kube-controller-manager/app/options" | ||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" | ||
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" | ||
"k8s.io/kubernetes/pkg/api/validation" | ||
authzmodes "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" | ||
"k8s.io/kubernetes/pkg/registry/core/service/ipallocator" | ||
"k8s.io/kubernetes/pkg/util/initsystem" | ||
versionutil "k8s.io/kubernetes/pkg/util/version" | ||
kubeadmversion "k8s.io/kubernetes/pkg/version" | ||
|
@@ -332,6 +334,56 @@ func (hst HTTPProxyCheck) Check() (warnings, errors []error) { | |
return nil, nil | ||
} | ||
|
||
// HTTPProxyCIDRCheck checks if https connection to specific subnet is going | ||
// to be done directly or over proxy. If proxy detected, it will return warning. | ||
// Similar to HTTPProxyCheck above, but operates with subnets and uses API | ||
// machinery transport defaults to simulate kube-apiserver accessing cluster | ||
// services and pods. | ||
type HTTPProxyCIDRCheck struct { | ||
Proto string | ||
CIDR string | ||
} | ||
|
||
// Check validates http connectivity to first IP address in the CIDR. | ||
// If it is not directly connected and goes via proxy it will produce warning. | ||
func (subnet HTTPProxyCIDRCheck) Check() (warnings, errors []error) { | ||
|
||
if len(subnet.CIDR) == 0 { | ||
return nil, nil | ||
} | ||
|
||
_, cidr, err := net.ParseCIDR(subnet.CIDR) | ||
if err != nil { | ||
return nil, []error{fmt.Errorf("error parsing CIDR %q: %v", subnet.CIDR, err)} | ||
} | ||
|
||
testIP, err := ipallocator.GetIndexedIP(cidr, 1) | ||
if err != nil { | ||
return nil, []error{fmt.Errorf("unable to get first IP address from the given CIDR (%s): %v", cidr.String(), err)} | ||
} | ||
|
||
testIPstring := testIP.String() | ||
if len(testIP) == net.IPv6len { | ||
testIPstring = fmt.Sprintf("[%s]:1234", testIP) | ||
} | ||
url := fmt.Sprintf("%s://%s/", subnet.Proto, testIPstring) | ||
|
||
req, err := http.NewRequest("GET", url, nil) | ||
if err != nil { | ||
return nil, []error{err} | ||
} | ||
|
||
// Utilize same transport defaults as it will be used by API server | ||
proxy, err := netutil.SetOldTransportDefaults(&http.Transport{}).Proxy(req) | ||
if err != nil { | ||
return nil, []error{err} | ||
} | ||
if proxy != nil { | ||
return []error{fmt.Errorf("connection to %q uses proxy %q. This may lead to malfunctional cluster setup. Make sure that Pod and Services IP ranges specified correctly as exceptions in proxy configuration", subnet.CIDR, proxy)}, nil | ||
} | ||
return nil, nil | ||
} | ||
|
||
// ExtraArgsCheck checks if arguments are valid. | ||
type ExtraArgsCheck struct { | ||
APIServerExtraArgs map[string]string | ||
|
@@ -648,7 +700,6 @@ func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error { | |
PortOpenCheck{port: 10250}, | ||
PortOpenCheck{port: 10251}, | ||
PortOpenCheck{port: 10252}, | ||
HTTPProxyCheck{Proto: "https", Host: cfg.API.AdvertiseAddress, Port: int(cfg.API.BindPort)}, | ||
DirAvailableCheck{Path: filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.ManifestsSubDirName)}, | ||
FileContentCheck{Path: bridgenf, Content: []byte{'1'}}, | ||
SwapCheck{}, | ||
|
@@ -666,6 +717,9 @@ func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error { | |
ControllerManagerExtraArgs: cfg.ControllerManagerExtraArgs, | ||
SchedulerExtraArgs: cfg.SchedulerExtraArgs, | ||
}, | ||
HTTPProxyCheck{Proto: "https", Host: cfg.API.AdvertiseAddress, Port: int(cfg.API.BindPort)}, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. is this still necessary? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, that is another check. (master IP address is not part of pod/service CIDR checks). Just changed order, so all proxy related warnings will be in one place and not mixed with warnings/errors of something else. |
||
HTTPProxyCIDRCheck{Proto: "https", CIDR: cfg.Networking.ServiceSubnet}, | ||
HTTPProxyCIDRCheck{Proto: "https", CIDR: cfg.Networking.PodSubnet}, | ||
} | ||
|
||
if len(cfg.Etcd.Endpoints) == 0 { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm struggling to see why this is always an error and how we ensure we don't get false positives.
Would it be possible to add test cases here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will produce warning, not error. Test case potentially possible, just need to be careful with set/unset environment variables during test.