[e2e test failure] Simple pod should support exec through kubectl proxy #50466
Comments
k8s-ci-robot
added
sig/cli
|
Not sure if it is related to recent change in #49534. |
|
cc |
k8s-ci-robot
added
sig/network
|
/priority critical-urgent |
k8s-ci-robot
added
the
priority/critical-urgent
|
/assign @bowei |
|
@bowei can you please take a look at @pwittrock's comment and update / reassign if appropriate? Thanks! |
|
I'll take a look |
|
From a cursory glance: if networking is at fault, it would result in all of the tests that traverse the SSH tunnel path to fail with a timeout, which I'm not seeing here. |
|
This test does not seem to have ever passed, at least not in the testgrid history. |
|
Thanks for your suggestion of looking into the networking on GKE. My understanding is that you didn't think the failure we are seeing on was related to kubectl itself. The kubectl test appears to be the only one breaking. Should I expect to see other test failures if the failure is not related to the request sent by kubectl, but instead how it is processed by the apiserver? |
I'm not sure we test any other websocket requests in e2e, so maybe not? |
k8s-ci-robot
removed
the
sig/network
|
Should we be adding those tests, or is it not something that makes sense to do? |
|
The core bug here is that gke uses a different transport wrapper than normal gce installs and unwrapping the transport is required to upgrade passthrough proxies. |
|
And I think that's what I've addressed in #50775 (making the GKE transport unwrappable), but as we can see, it fails for another reason. Any idea? |
|
#50775 is necessary but not sufficient. copied from #50775 (comment) the issue is with kubernetes/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go Lines 269 to 282 in 4bfe9b1 can recreate this by running |
|
The transport that is used for upgrade needs to be invoked on the request
we use to dial the backend. In theory we can use a capturing RoundTripper
to see the mutation (we use that in a few other places, and I needed it for
the websocket code).
…On Thu, Aug 17, 2017 at 12:23 AM, Jordan Liggitt ***@***.***> wrote:
#50775 <#50775> is necessary
but not sufficient.
copied from #50775 (comment)
<#50775 (comment)>
the issue is with https://github.com/kubernetes/kubernetes/blob/
4bfe9b1/staging/src/k8s.io/
apimachinery/pkg/util/proxy/upgradeaware.go#L269-L282 that does not
actually use the transport to handle the request, only to dial. That means
that TLS-authentication methods like client certs work, and header
authentication methods like bearer tokens do not.
can recreate this by running kubectl proxy using bearer token
authentication and not cert auth, then try kubectl exec ... --server=
http://localhost:8001
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#50466 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_py-FaRZl2Cs0alIEykUqQ5CIm3nPks5sY8BdgaJpZM4Oz1AO>
.
|
As reported in kubernetes#50466, this test doesn't work in GKE because the transport layer doesn't work with dialing. As the feature that is broken in GKE is new and didn't work before, it is safe to juste ignore the test and consider the feature as "still not working" in GKE.
apelisse
added
the
sig/api-machinery
|
/assign @caesarxuchao Are you a good person to assign this to, or is there someone better? |
As reported in kubernetes#50466, this test doesn't work in GKE because the transport layer doesn't work with dialing. As the feature that is broken in GKE is new and didn't work before, it is safe to juste ignore the test and consider the feature as "still not working" in GKE.
|
/assign @cheftako |
Automatic merge from submit-queue Skip "Simple pod should support exec through kubectl proxy" test As reported in #50466, this test doesn't work in GKE because it uses a bearer token and the feature only works with client certs. As the feature that is broken in GKE is new and didn't work before, it is safe to juste ignore the test and consider the feature as "still not working" in GKE. **What this PR does / why we need it**: Fixes the broken test in https://k8s-testgrid.appspot.com/release-master-blocking#gke **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: works-around #50466 **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
…_wrap Automatic merge from submit-queue (batch tested with PRs 50775, 51397, 51168, 51465, 51536) Allow bearer requests to be proxied by kubectl proxy Use a fake transport to capture changes to the request and then surface them back to the end user. Fixes kubernetes#50466 @liggitt no tests yet, but works locally
/cc @kubernetes/sig-cli-bugs
This test has started failing on GKE and GCI-GKI e2e tests:
https://k8s-testgrid.appspot.com/release-master-blocking#gci-gke
https://k8s-testgrid.appspot.com/release-master-blocking#gke
Example failure
https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/logs/ci-kubernetes-e2e-gke/12920
The text was updated successfully, but these errors were encountered: