-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubectl exec fails #7425
Comments
Hi @rsuniev ... how are you accessing to kubernetes api?? Through aws elb?? If yes, could you please try to access kubernetes api directly instead through aws elb? May be related to this kubernetes issue... |
@rawmind0 We are using AWS ALB? Same issue? |
If you are using aws alb, may be same issue... failing only kubectl exec commands... Are other kubectl commands working well?? Could you please, try to modify kubectl config file and try to access directly to one k8s api server instead of through aws alb?? |
We tried this but we are terminating a ALB at SSL and then forwarding to port 8080. Which didn't work because the server is expecting the header to be HTTPS. |
The issue is that traefik does not pass Upgrade header This tcpdump proves it -
if you search for this id (1-587d73b6-1ad77d992ca15e4776c68cba (x-Amzn-Trace-Id)) then you'll notice that the above data has two http requests - the first from kubectl to the traefik proxy, and the second from websocket-proxy to kube-apiserver (on my setup 10.42.14.47 is the kubeapiserver ip). In the second request, it doesnt pass the http upgrade header, but the first request has the http header. somehow the http header is lost between traefik and websocket-proxy, and since we know that web socket proxy works just fine if we switch off traefik, we jumped to the conclusion that traefik is the one dropping the headers |
Thanks for the expert analysis @wlan0 , @ibuildthecloud is putting a fix into traefik to correct this. |
We're running into this issue as well. We have nearly the same configuration as the OP but aren't using traefik as far as I know. Have been able to work around it by using the "Execute Shell" feature in the Rancher UI but would like to be able to use |
@TylerRick Is your setup a Rancher HA setup? i.e. do you start the rancher server with the We are submitting a patch to traefik to fix this issue. We'll be updating the traefik version with the patch as soon as possible. I'll comment on this thread once it is fixed. |
@wlan0 No, we just have a single Rancher server currently. Our setup seems about the same other than that though (Rancher v1.3.1, Kubernetes v1.5.1, AWS, and an Application Load Balancer for ports 80/443 that routes to our single Rancher instance on port 8080), so it may not be specific to traefik and more to do with ALB...? Should I create a separate issue? |
@TylerRick ALB supports websocket, SPDY and HTTP/2.0. That being said, Please create a separate issue. We can debug further there. |
Validated the fix on Rancher v1.2.3-rc2, here are the steps:
Both kubectl exec and logs work from remote client. |
Sorry to ping on a closed issue @galal-hussein but I'm getting 400s from an apache load balancer, despite following this: http://rancher.com/docs/rancher/v1.6/en/installing-rancher/installing-server/basic-ssl-config/#example-apache-configuration configuration. The apache server is running a flat Apache/2.4.7 install (non-container). I have proxy_wstunnel enabled, and everything in general works fine with rancher with regards to the UI and almost all kubectl commands, but exec doesn't work:
And in the apache logs I see:
In my apache virtual host for rancher I have the following:
The balancer is pulled from a shared apache config:
Do you have any idea anything I could be missing? |
Hi, i have the same issue and with almost the same config as @Joeskyyy (without the proxypass to a balancer)
|
After some research i can say that's it doesn't seem the rancher fault, if i directly connect (with kubectl) to the rancher server (@ https://docker.internal:443) the exec command is working. (i cannot make the 8080 connection directly works, i have a redirect on the https://*:8443 ports) thanks a lots for all the help ! |
Rancher Versions:
Server:1.2.2
healthcheck:0.2.0
ipsec:0.0.2
network-services:0.0.8
scheduler:0.2.0
kubernetes (if applicable): 1.4.6v1
Docker Version:
OS and where are the hosts located? (cloud, bare metal, etc): AWS, ALB
Setup Details: (single node rancher vs. HA rancher, internal DB vs. external DB) HA rancher
Environment Type: (Cattle/Kubernetes/Swarm/Mesos) Kubernetes
Steps to Reproduce:
Results:
request fails with the error:
Expected:
kubectl exec works
The text was updated successfully, but these errors were encountered: