-
Notifications
You must be signed in to change notification settings - Fork 39.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ensure webhook service routing resolves kubernetes.default.svc correctly #62649
Conversation
/assign @deads2k |
/lgtm |
Please test these things if you want them to keep working: /lgtm cancel I think this is an awful hack to work around not having an identity for apiserver. e.g. clearly this can't work for an aggregated apiserver. Or am I misunderstanding something? |
the only service the apiserver can make authentication assumptions about is the kubernetes/default service, and only because it is serving it and controls authentication for it.
that's why this is only used in kube-apiserver. aggregated api servers running on top of the kube control plane use default dns resolution and in-cluster auth without incident. |
A concrete example request that exercises the path would help a lot. |
test added (verified it failed on master with an unresolveable address timeout), three additional bugs fixed. most integration tests do not actually use the real apiserver construction methods, so wouldn't have exercised the code that was fixed. The closest integration test to reality I found was this one: kubernetes/test/integration/examples/apiserver_test.go Lines 99 to 140 in bf3cda6
In the test commit in this PR, I started to extract the test setup to something that:
|
Thank you! Will look tomorrow if no one beats me to it. |
596e4c6
to
ffe61f1
Compare
/retest |
@@ -52,7 +52,7 @@ func New(config *Config) (http.RoundTripper, error) { | |||
// TLSConfigFor returns a tls.Config that will provide the transport level security defined | |||
// by the provided Config. Will return nil if no transport level security is requested. | |||
func TLSConfigFor(c *Config) (*tls.Config, error) { | |||
if !(c.HasCA() || c.HasCertAuth() || c.TLS.Insecure) { | |||
if !(c.HasCA() || c.HasCertAuth() || c.TLS.Insecure || len(c.TLS.ServerName) > 0) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if tls.Insecure is true, why don't we just return nil, nil?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
anything that deviates from the defaults must return a custom tls.Config
setting Insecure=true or a custom ServerName requires a non-default tls.Config
Question on the TLS bit. Integration test looks like it is testing the wiring more than the code since kube integration doesn't run real servers, but sure. |
any other comments? |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
ffe61f1
to
d421aff
Compare
New changes are detected. LGTM label has been removed. |
rebased |
/retest Review the full test history for this PR. Silence the bot with an |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue (batch tested with PRs 50899, 62649). If you want to cherry-pick this change to another branch, please follow the instructions here. |
@liggitt: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Is this likely to be also accepted into release-1.9 if cherry picked? Not sure what the usual convention is for which releases something should be backported to. |
picked to 1.9 in #63219 |
Going through the normal endpoint resolve path isn't correct in multi-master scenarios
The auth wrapper is pulling from LoopbackClientConfig, the service resolver should do the same