Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubernetes client does not support InsecureSkipVerify #876

Closed
jonaz opened this issue Nov 22, 2016 · 5 comments
Closed

kubernetes client does not support InsecureSkipVerify #876

jonaz opened this issue Nov 22, 2016 · 5 comments
Labels
area/provider/k8s/ingress kind/enhancement a new or improved feature. status/5-frozen-due-to-age

Comments

@jonaz
Copy link
Contributor

jonaz commented Nov 22, 2016

Like other providers we should have --kubernetes.tls.insecureskipverify
Which makes the client in provider/k8s/client.go set c.tls.InsecureSkipVerify
@enxebre
Copy link
Contributor

enxebre commented Dec 20, 2016

Hey @jonaz @emilevauge I can't thing of any valid use case for this.
Traefik is using "in cluster" configuration https://github.com/containous/traefik/blob/master/provider/k8s/client.go#L44
which will set up tls config based on the "Kubernetes service account" including the CA https://github.com/kubernetes/client-go/blob/124670e99da15091e13916f0ad4b2b2df2a39cd5/rest/config.go#L285

And the Kubernetes Client will actually prevent you from going insecure by raising an error if you try to set the Insecure flag.
https://github.com/kubernetes/client-go/blob/124670e99da15091e13916f0ad4b2b2df2a39cd5/transport/transport.go#L58

screen shot 2016-12-20 at 09 54 41

A potential (not sure if useful at all) use case for this could be to have an "out of cluster" kubernetes provider reading a kubeconfig file (just like https://github.com/kubernetes/client-go/blob/124670e99da15091e13916f0ad4b2b2df2a39cd5/examples/out-of-cluster/main.go#L36)
However this would make no trivial for Traefik to reach the pods.

@enxebre enxebre mentioned this issue Dec 20, 2016
Closed
@errm
Copy link
Contributor

errm commented Feb 21, 2017

I agree, at the moment k8s implies that Traefik is running in cluster, with credentials and CA provided by the service account, running Traefik externally makes a lot of things uncertain networking wise... Unless there is a strong use case to support this, in a real cluster it seems irrelevant.

@errm errm closed this as completed Feb 21, 2017
@jonaz
Copy link
Contributor Author

jonaz commented Feb 21, 2017

My usecase was traefik running inside a cluster. With a haproxy in front of the kubernetes apiservers and the common name was then not included in the SAN of the apiserver certs. Therefore i needed traefik to work anyway.

My SANs looked like this:
DNS Name: kubernetes
DNS Name: kubernetes.default
DNS Name: localhost
IP Address: 192.168.100.57
IP Address: 192.168.100.58
IP Address: 192.168.100.59
IP Address: 10.3.0.1
IP Address: 127.0.0.1

But my service for the haproxy was named apiserver-lb which was not included in the SAN.
The real fix is ofcourse to include apiserver-lb in the SAN but that requires downtime.

I solved it by running traefik on hostNetwork instead so it could access the haproxy on localhost which was included in the SAN.

@errm
Copy link
Contributor

errm commented Feb 22, 2017

Running in cluster you shouldn't need ha-proxy kube-proxy should work just fine... if kubedns is running, kubernetes.default should route correctly...

@jonaz
Copy link
Contributor Author

jonaz commented Feb 22, 2017 via email

@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area/provider/k8s/ingress kind/enhancement a new or improved feature. status/5-frozen-due-to-age
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@errm @jonaz @enxebre @emilevauge @traefiker