Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubectl attach: client-go does not respect CIDRs in NO_PROXY #54407

Closed
kad opened this issue Oct 23, 2017 · 2 comments · Fixed by #54413
Closed

kubectl attach: client-go does not respect CIDRs in NO_PROXY #54407

kad opened this issue Oct 23, 2017 · 2 comments · Fixed by #54413
Assignees
@kad
Labels
sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery.

Comments

@kad
Copy link
Member

kad commented Oct 23, 2017

Is this a BUG REPORT or FEATURE REQUEST?: BUG REPORT

/kind bug

What happened:

[root@k8s-c1 kad]# kubectl attach -i -t busybox1
If you don't see a command prompt, try pressing enter.
                                                      error: error sending request: Post https://10.237.72.166:6443/api/v1/namespaces/default/pods/busybox1/attach?container=busybox1&stdin=true&stdout=true&tty=true: EOF
[root@k8s-c1 kad]#  env | grep NO_PROX
NO_PROXY=localhost,127.0.0.1,.example.com,10.0.0.0/8
[root@k8s-c1 kad]#

What you expected to happen:

[root@k8s-c1 kad]# kubectl attach -i -t busybox1
If you don't see a command prompt, try pressing enter.
/ # 
/ # 
/ # 
[root@k8s-c1 kad]#

How to reproduce it (as minimally and precisely as possible):

  • run k8s cluster in environment where there is no direct access to internet, thus http proxies are used.
  • make sure that http proxy can't connect to your cluster IPs (proxy serves only external resources)
  • run simple deployment like: kubectl run -i -t busybox1 --image=busybox
  • try to attach to that pod: kubectl attach -i -t busybox1

Anything else we need to know?:
Transports instaging/src/k8s.io/client-go/transport seems to initialize properly defaults to use NewProxierWithNoProxyCIDR() from k8s.io/apimachinery/pkg/util/net. However, when it comes to SPDY, dial function seems somehow ignores it and fallbacks to default transport? or default proxy resolver net/http.ProxyFromEnvironment()

Environment:

  • Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.1", GitCommit:"f38e43b221d08850172a9a4ea785a86a3ffa3b3a", GitTreeState:"clean", BuildDate:"2017-10-11T23:27:35Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.1", GitCommit:"f38e43b221d08850172a9a4ea785a86a3ffa3b3a", GitTreeState:"clean", BuildDate:"2017-10-11T23:16:41Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
  • Cloud provider or hardware configuration**: NONE
  • OS (e.g. from /etc/os-release): "CentOS Linux 7 (Core)"
  • Kernel (e.g. uname -a): Linux k8s-c1.example.com 3.10.0-693.2.2.el7.x86_64 Unit test coverage in Kubelet is lousy. (~30%) #1 SMP Tue Sep 12 22:26:13 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
  • Install tools:
  • Others:
@k8s-github-robot k8s-github-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Oct 23, 2017
kad added a commit to kad/kubernetes that referenced this issue Oct 23, 2017
@kad
Use CIDR-aware proxy resolver for SPDY RoundTripper
cbc2688 
Fixes: kubernetes#54407
@kad kad mentioned this issue Oct 23, 2017
Merged
@kad
Copy link
Member Author

kad commented Oct 23, 2017

/sig api-machinery

@k8s-ci-robot k8s-ci-robot added the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label Oct 23, 2017
@k8s-github-robot k8s-github-robot removed the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Oct 23, 2017
@mkumatag
Copy link
Member

/assign @kad

k8s-github-robot pushed a commit that referenced this issue Oct 23, 2017
Merge pull request #54413 from kad/spdy-no-proxy-cidr
b1e2d7a 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Use CIDR-aware proxy resolver for SPDY RoundTripper

**What this PR does / why we need it**: `kubectl attach` for example doesn't work if NO_PROXY specifies API endpoint IP via CIDR notation.

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #54407

**Special notes for your reviewer**: Potentially it will be good to get that change to 1.8.x

**Release note**:
```release-note
- API machinery's httpstream/spdy calls now support CIDR notation for NO_PROXY
```
kad added a commit to kad/kubernetes that referenced this issue Oct 31, 2017
@kad
Use CIDR-aware proxy resolver for SPDY RoundTripper
3177084 
Fixes: kubernetes#54407
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kad kad

Labels
sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use CIDR-aware proxy resolver for SPDY RoundTripper kad/kubernetes
4 participants
@kad @mkumatag @k8s-github-robot @k8s-ci-robot