Use SSH tunnel for webhook communication iff the webhook is deployed as a service #58644
Conversation
k8s-ci-robot
added
the
release-note
k8s-ci-robot
added
the
size/M
k8s-ci-robot
added
the
cncf-cla: yes
|
lgtm. @lavalamp could you also have a look? |
|
/test pull-kubernetes-e2e-kops-aws |
| @@ -31,17 +31,18 @@ import ( | |||
| // rest.Config generated by the resolver. | |||
| type AuthenticationInfoResolverWrapper func(AuthenticationInfoResolver) AuthenticationInfoResolver | |||
|
|
|||
| // AuthenticationInfoResolver builds rest.Config base on the server name. | |||
| // AuthenticationInfoResolver builds rest.Config base on the server name and | |||
| // the isService flag indicating whether the webhook is deployed as a service. | |||
There was a problem hiding this comment.
The thing we want this name to highlight is whether the server is routable directly from apiserver's network environment. isService isn't the right name. Maybe indirectRouting? Note that the ssh tunnels are going away in less than a year, so please leave a TODO to remove this when they go away.
There was a problem hiding this comment.
Done. Changed the variable name to directRouting and added TODO.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/approve |
|
/hold |
k8s-ci-robot
added
do-not-merge/hold
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
| type AuthenticationInfoResolver interface { | ||
| ClientConfigFor(server string) (*rest.Config, error) | ||
| ClientConfigFor(server string, directRouting bool) (*rest.Config, error) |
There was a problem hiding this comment.
More than just the kube apiserver will use this. We shouldn't change the interface just to accommodate kube apiserver
There was a problem hiding this comment.
I think the new flag might be useful in other cases. Or do you mean the client of the AuthenticationInfoResolver should never care where/how the webhooks are deployed?
There was a problem hiding this comment.
Open to other suggestions. Given that we do have the ssh tunnels right now this doesn't seem completely wrong to me.
There was a problem hiding this comment.
since the API driving webhooks distinguishes between service name/namespace and url.URL, seems like it would be better to just make that the API here:
ClientConfig(server string) (*rest.Config, error)
ClientConfigForService(serviceName, serviceNamespace string) (*rest.Config, error)
kube-apiserver's override would only inject the proxy dialer for ClientConfigForService
cmd/kube-apiserver/app/server.go
Outdated
| if err != nil { | ||
| return nil, err | ||
| } | ||
| if proxyTransport != nil && proxyTransport.Dial != nil { |
There was a problem hiding this comment.
We should find a different way to signal this special handling for kube apiserver than polluting the interface for all consumers
There was a problem hiding this comment.
An alternative is to check whether the server is a [host|ip]:port or not, but that seems a little bit hacky.
|
/hold |
k8s-ci-robot
added
do-not-merge/hold
k8s-github-robot
removed
the
lgtm
|
/test pull-kubernetes-unit |
| // is used for the communication from master to nodes get removed. | ||
| // | ||
| // ClientConfigForService builds rest.Config based on the service name. | ||
| ClientConfigForService(service string) (*rest.Config, error) |
There was a problem hiding this comment.
should probably be serviceName, serviceNamespace string, and defaultAuthenticationInfoResolver#ClientConfigForService does the same serviceName.serviceNamespace.svc lookup.
| ClientConfigFor(server string) (*rest.Config, error) | ||
| // ClientConfigFor builds rest.Config based on the host. | ||
| ClientConfigFor(host string) (*rest.Config, error) | ||
| // TODO(yguo0905): Remove ClientConfigForService once the SSH tunnels that |
There was a problem hiding this comment.
I'd remove the TODO... the webhook registration API has URL and service reference... I'd anticipate both being represented here, even once the kube-apiserver tunneling dialer is not needed
| @@ -459,27 +459,30 @@ func BuildGenericConfig(s *options.ServerRunOptions, proxyTransport *http.Transp | |||
| genericConfig.DisabledPostStartHooks.Insert(rbacrest.PostStartHookName) | |||
| } | |||
|
|
|||
| webhookAuthResolver := func(delegate webhookconfig.AuthenticationInfoResolver) webhookconfig.AuthenticationInfoResolver { | |||
| return webhookconfig.AuthenticationInfoResolverFunc(func(server string) (*rest.Config, error) { | |||
| if server == "kubernetes.default.svc" { | |||
There was a problem hiding this comment.
preserve this in ClientConfigForFunc:
ClientConfigForFunc: func(server string) (*rest.Config, error) {
if server == "kubernetes.default.svc" {
return genericConfig.LoopbackClientConfig, nil
}
return delegate.ClientConfigFor(server)
}
There was a problem hiding this comment.
I think the server will be [host|ip]:port in ClientConfigForFunc so this would never be true?
There was a problem hiding this comment.
https://kubernetes.default.svc is a valid URL that would parse to that host. Just wanted consistency between the two
There was a problem hiding this comment.
You're right. I thought the port is required in the URL but it's not.
|
one comment, lgtm otherwise |
|
/lgtm |
k8s-ci-robot
added
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: caesarxuchao, lavalamp, liggitt, yguo0905 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
/retest |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
We are getting the following error when the apiserver connects the webhook on localhost (configured via URL). We should only use the SSL tunnel for the connections to nodes when the webhooks are running as services.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes # #58779
Special notes for your reviewer:
Release note:
/assign @lavalamp @caesarxuchao @cheftako