-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't open a shell on a pod from behind a corporate proxy #6687
Comments
If you open up a local terminal within Lens and then run the |
A few additional variables are added by Lens to the env: APP_HTTPS_PROXY (same value than my HTTPS_PROXY), CHROME_CRASHPAD_PIPE_NAME, KUBECONFIG, LENS_SESSION, ORIGINAL_XDG_CURRENT_DESKTOP, PTYPID, PTYSHELL, TERM_PROGRAM, TERM_PROGRAM_VERSION, WSLENV Looking at the value of KUBECONFIG, it is a kubectl configuration file created by Lens I guess, which changes the cluster server URL and removes the certificate-authority-data parameter. This custom conf is probably the reason of the error : the same command that fails in the console opened by Lens succeeds in my console, that uses my kubectl conf file with the right server url and certificate-authority-data value. |
Adding the variable certificate-authority-data and its value to the Lens specific kubectl config file, the connection to pod's shell works perfectly. Therefore I suggest Lens adds the certificate-authority-data variable, when found in the local kubectl config file, to its generated config file. |
|
yes, NO_PROXY is present and contains localhost,127.0.0.1, and some more IPs related to my company |
If you run current-context: <some context name>
clusters:
- name: <some context name>
cluster:
server: http://localhost:8080
users:
- name: proxy
contexts:
- name: <some context name>
context:
cluster: <some context name>
user: proxy and then run What do you see? |
If the temp config contains the variable certificate-authority-data : a shell is opened on the pod. |
My corporate proxy modifies the SSL certification chain by replacing the root Certification Authority (CA)'s certificate signature with its own CA certificate, which I provide to kubectl through the value of certificate-authority-data. |
Interesting, thanks for doing that experiment. I wonder why we are even hitting your corporate proxy... |
lens runs on my machine, which uses the proxy as a system proxy. kubernetes runs in the cloud. the proxy is between the 2 :) |
Yes, but I would have suspected that |
Describe the bug
I am behind a corporate proxy.
When trying to open a shell on a pod from my system console (outside of Lens), it works:
When trying to connect a shell to a pod from Lens, it displays
Then falls back on my system shell prompt. If I run the command above from that shell, the following error is displayed:
My kubeconfig
Additional context
The commands kubectl done on my desktop shell works behind the corporate proxy because I have provided the http_proxy, https_proxy, no_proxy and AWS_CA_BUNDLE environment variables.
It seems that Lens does not use the same conf as my local kubectl/aws command line tools.
Thanks for your help !
The text was updated successfully, but these errors were encountered: