Apiserver proxy rewriting not useful for intra-cluster links #5897
Labels
area/apiserver
area/usability
priority/backlog
Higher priority than priority/awaiting-more-evidence.
sig/api-machinery
Categorizes an issue or PR as relevant to SIG API Machinery.
Comments
bgrant0607
added
area/usability
area/apiserver
priority/awaiting-more-evidence
|
I would love to get rid of the rewriting, it is really error-prone. |
|
The only good part of the rewriting is that it works without external dependencies on any sort of discovery system. So it might be useful for debugging broken clusters. But the production proxy shouldn't do rewriting. |
bgrant0607
added
priority/backlog
|
Closing due to age and extreme lack of interest in fixing. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Forked from #4440.
The apiserver proxy uses httputil.NewSingleHostReverseProxy. This rewrites URLs to a fixed scheme, host, and base path. This is not smart enough to facilitate translation of links to other (intra-cluster) services, pods, and nodes, which are all proxy-able directly. In fact, if someone puts the correct proxy links into their pages, the links are munged and broken by the reverse proxy.
Internally, we don't rewrite links. Applications use intra-cluster names (DNS and our internal NS) and addresses, and we have a few different mechanisms to route those to the reverse proxy.
If we want to stick with the rewriting approach, the proxy should recognize and translate intra-cluster names and addresses. #3481 proposed proxying by IP address in addition to resource path.
cc @enisoc @lavalamp @smarterclayton
The text was updated successfully, but these errors were encountered: