Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plumbing the proxy dialer to the webhook admission plugin; Fix the tls config #50476

Merged
merged 2 commits into from
Sep 15, 2017
Merged

Plumbing the proxy dialer to the webhook admission plugin; Fix the tls config #50476

merged 2 commits into from
Sep 15, 2017

Conversation

caesarxuchao
Copy link
Member

@caesarxuchao caesarxuchao commented Aug 10, 2017
edited
Loading

I tested it in my gke setup. I don't have time to implement an e2e test before 1.8 release. I think it's ok to add the test later, because i) the change only affects the alpha webhook admission feature, and ii) the webhook feature is unusable without the fix. That said, it's up to my reviewer to decide.

Filed #52368 for the missing e2e test.

( The second commit is #52372, which is just a cleanup of client configuration in e2e tests. It removed a function that marshalled the client config to json and then unmarshalled it. It is a prerequisite of this PR, because this PR added the Dial function to the config which is not json marshallable.)

Fixed the webhook admission plugin so that it works even if the apiserver and the nodes are in two networks (e.g., in GKE).
Fixed the webhook admission plugin so that webhook author could use the DNS name of the service as the CommonName when generating the server cert for the webhook.

Action required:
Anyone who generated server cert for admission webhooks need to regenerate the cert. Previously, when generating server cert for the admission webhook, the CN value doesn't matter. Now you must set it to the DNS name of the webhook service, i.e., `<service.Name>.<service.Namespace>.svc`.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Aug 10, 2017
@k8s-github-robot k8s-github-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. release-note-label-needed labels Aug 10, 2017
@caesarxuchao
Copy link
Member Author

Still a WIP, because I don't know what's the proper way to test it.
@mandarjog when you said you could help testing it, you meant you could test it after the code is rolled out in gke, right?

@caesarxuchao
Copy link
Member Author

/release-note-none
/sig api-machinery

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed release-note-label-needed labels Aug 10, 2017
@cheftako
Copy link
Member

cheftako commented Aug 16, 2017
edited
Loading

This seems somewhat GKE specific. Can we add apimachinery e2e test for at least one cloud provider which uses the dialer (GKE) and one which does not (GCE)?

@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 19, 2017
@caesarxuchao caesarxuchao mentioned this pull request Aug 23, 2017
Closed
@k8s-github-robot k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 11, 2017
@caesarxuchao
Copy link
Member Author

The fix is not working yet.

$ kubectl get endpoints
webhook      10.32.0.5:8000     15m

API server log:

I0912 04:42:13.119439       5 ssh.go:400] [3971e1b2076ea996: 10.32.0.5:8000] Dialing...
W0912 04:42:13.119461       5 ssh.go:424] SSH tunnel not found for address "10.32.0.5", picking random node
I0912 04:42:13.121601       5 ssh.go:402] [3971e1b2076ea996: 10.32.0.5:8000] Dialed in 2.163495ms.
W0912 04:42:13.122779       5 admission.go:181] Failed calling webhook pod-image.k8s.io: failed calling admission webhook "pod-image.k8s.io": Post http://10.32.0.5:8000/: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"
E0912 04:42:13.122808       5 admission.go:182] failed calling admission webhook "pod-image.k8s.io": Post http://10.32.0.5:8000/: malformed HTTP response "\x15\x03\x01\x00\x02\x02\x16"

http: TLS handshake error from 10.128.0.3:55796: tls: oversized record received with length 21536

@caesarxuchao
Copy link
Member Author

Reproduced in the unit test.

@caesarxuchao
Copy link
Member Author

Got it working in my local gke setup. I'll try to get together an gke e2e test, but no promise at the moment.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 12, 2017
@k8s-ci-robot
Copy link
Contributor

@caesarxuchao: Your pull request title starts with "[WIP]", so the do-not-merge/work-in-progress label will be added.

This label will ensure that your pull request will not be merged. Remove the prefix from your pull request title to trigger the removal of the label and allow for your pull request to be merged.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@caesarxuchao caesarxuchao changed the title [WIP] Plumbing the proxy dialer to the webhook admission plugin Plumbing the proxy dialer to the webhook admission plugin Sep 12, 2017
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 12, 2017
@caesarxuchao caesarxuchao mentioned this pull request Sep 12, 2017
Closed
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 12, 2017
cheftako
cheftako reviewed Sep 12, 2017
View reviewed changes
Copy link
Member

@cheftako cheftako left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to look at the old certs customers may have had.

plugin/pkg/admission/webhook/admission.go Outdated
CAData: h.ClientConfig.CABundle,
CertData: a.clientCert,
KeyData: a.clientKey,
ServerName: h.ClientConfig.Service.Name + "." + h.ClientConfig.Service.Namespace + "." + "svc",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. Is this backward compatible for old clients?
  2. Not a big deal but do we really need to do "." + "svc" vs ".svc"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For 1, It's not backward compatible. Added "Action Required" in the release note.

Will fix 2.

@k8s-ci-robot k8s-ci-robot removed the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Sep 13, 2017
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 13, 2017
lavalamp
lavalamp reviewed Sep 13, 2017
View reviewed changes
cmd/kube-apiserver/app/server.go
@@ -510,6 +510,7 @@ func BuildAdmissionPluginInitializer(s *options.ServerRunOptions, client interna
}

pluginInitializer = pluginInitializer.SetServiceResolver(serviceResolver)
pluginInitializer = pluginInitializer.SetProxyTransport(proxyTransport)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was kinda hoping to combine the service resolver with this proxy transport. But maybe it's not important. hm.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you want them to be combined because both of them are needed iff an admission plugin wants to contact a service provided by the user? I can put them into a single struct if you think it's necessary.

@caesarxuchao caesarxuchao mentioned this pull request Sep 14, 2017
Merged
@lavalamp lavalamp added this to the v1.8 milestone Sep 14, 2017
@lavalamp
Copy link
Member

/approve

@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: caesarxuchao, cheftako, lavalamp

Associated issue: 49987

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 14, 2017
Chao Xu added 2 commits September 14, 2017 15:35
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Sep 14, 2017
@k8s-github-robot k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 14, 2017
@caesarxuchao caesarxuchao added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 14, 2017
@caesarxuchao
Copy link
Member Author

Rebased and squashed. Adding back the label.

@caesarxuchao
Copy link
Member Author

/retest

3 similar comments
@caesarxuchao
Copy link
Member Author

/retest

@caesarxuchao
Copy link
Member Author

/retest

@caesarxuchao
Copy link
Member Author

/retest

@k8s-ci-robot
Copy link
Contributor

@caesarxuchao: The following tests failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-bazel 5ac3afe link /test pull-kubernetes-bazel
pull-kubernetes-e2e-gce-bazel 856a1db link /test pull-kubernetes-e2e-gce-bazel

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 51824, 50476, 52451, 52009, 52237)

@k8s-github-robot k8s-github-robot merged commit 7181dd4 into kubernetes:master Sep 15, 2017
@mbohlool mbohlool mentioned this pull request Sep 22, 2017
Merged
@prabushyam
Copy link

@caesarxuchao: Could we cherry pick this into 1.7 ?

@caesarxuchao caesarxuchao changed the title Plumbing the proxy dialer to the webhook admission plugin Plumbing the proxy dialer to the webhook admission plugin; Fix the tls config Sep 26, 2017
@caesarxuchao caesarxuchao mentioned this pull request Sep 26, 2017
Open
caesarxuchao pushed a commit to caesarxuchao/example-webhook-admission-controller that referenced this pull request Sep 27, 2017
Use the service DNS name as CN in the server CSR, to cope with
268dd93 
kubernetes/kubernetes#50476
@mandarjog mandarjog mentioned this pull request Nov 20, 2017
Merged
@tamalsaha tamalsaha mentioned this pull request Jan 1, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lavalamp lavalamp lavalamp left review comments

@cheftako cheftako cheftako approved these changes

Assignees

@lavalamp lavalamp

@cheftako cheftako

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.8
Development

Successfully merging this pull request may close these issues.
6 participants
@caesarxuchao @cheftako @k8s-ci-robot @lavalamp @k8s-github-robot @prabushyam