Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In-cluster config uses an IP address instead of recommended DNS name #587

Closed
RobinMcCorkell opened this issue Jul 9, 2021 · 5 comments · Fixed by #597
Closed

In-cluster config uses an IP address instead of recommended DNS name #587

RobinMcCorkell opened this issue Jul 9, 2021 · 5 comments · Fixed by #597
Labels
bug Something isn't working client kube Client related

Comments

@RobinMcCorkell
Copy link

When inferring in-cluster config, the code looks for KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT and creates a URL based on that, e.g. https://10.43.0.1:443. This breaks when using rustls-tls instead of openssl, due to missing support in the upstream libraries as noted in #123 (comment) and other places.

The recommended way to access the API server from a pod is with the kubernetes.default.svc DNS name, not with the service IP, which would avoid the rustls issue entirely. Is there a reason kube-rs uses the service IP directly?
@RobinMcCorkell
Copy link
Author

As an immediate workaround, it appears that adding an environment variable KUBERNETES_SERVICE_HOST = kubernetes.default.svc at least allows rustls builds to work.

@clux clux added the client kube Client related label Jul 9, 2021
@clux
Copy link
Member

clux commented Jul 9, 2021

Oh interesting. Based on that documentation it looks like we are using a legacy / misguided method. Our method is not mentioned there anymore, and can test + fix this pretty easily. Thanks for the report!

@clux clux added the bug Something isn't working label Jul 9, 2021
@RobinMcCorkell
Copy link
Author

RobinMcCorkell commented Jul 9, 2021
edited
Loading

I assume this crate was modelled off the Golang libraries, where I found this interesting little comment ;) https://github.com/kubernetes/client-go/blob/7a90b08589bbf0d36a27041d5491b7b8d5430f15/rest/config.go#L506-L512

@clux
Copy link
Member

clux commented Jul 9, 2021

hah! that's actually current master! practice what you preach, hey.

@clux clux mentioned this issue Jul 21, 2021
Closed
clux added a commit that referenced this issue Jul 21, 2021
@clux
try using cluster dns to reach apiserver - for #587
a86dd3e
@clux clux mentioned this issue Jul 21, 2021
Merged
@clux
Copy link
Member

clux commented Jul 21, 2021

Draft PR for this at in #597
Have not had the time to test it, and probably won't for a little while, so any help is appreciated.

@clux clux linked a pull request Jul 21, 2021 that will close this issue
use cluster dns to reach apiserver for rustls - for #587 #597
Merged
clux added a commit that referenced this issue Jul 21, 2021
@clux
try using cluster dns to reach apiserver - for #587
52dc95b
clux added a commit that referenced this issue Jul 21, 2021
@clux
try using cluster dns to reach apiserver - for #587
64e1492
clux added a commit that referenced this issue Jul 24, 2021
@clux
use cluster dns to reach apiserver when on rustls - for #587
4efd997
@clux clux closed this as completed in #597 Jul 26, 2021
clux added a commit that referenced this issue Jul 26, 2021
@clux
use cluster dns to reach apiserver for rustls - for #587 (#597)
e2f816e 
* use cluster dns to reach apiserver when on rustls - for #587

* ci test run with rustls
@clux clux mentioned this issue Jul 26, 2021
Closed
@jakedipity jakedipity mentioned this issue Oct 15, 2021
Closed
@mKeRix mKeRix mentioned this issue Jan 18, 2022
Merged
@clux clux mentioned this issue Apr 12, 2022
Closed
clux added a commit that referenced this issue Apr 13, 2022
@clux
Switch to kubernetes dns for incluster url everywhere
9916723 
This is the recommended, and only documented method on https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/
The legacy method has issues with ipv6 and it's time to retire it.

We trialled the new method for 6months via #587 without any reports.

Closes #874

Signed-off-by: clux <sszynrae@gmail.com>
@clux clux mentioned this issue Apr 13, 2022
Merged
clux added a commit that referenced this issue Apr 13, 2022
@clux
Switch to kubernetes cluster dns for incluster url everywhere (#876)
dd0b258 
* Switch to kubernetes dns for incluster url everywhere

This is the recommended, and only documented method on https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/
The legacy method has issues with ipv6 and it's time to retire it.

We trialled the new method for 6months via #587 without any reports.

Closes #874

Signed-off-by: clux <sszynrae@gmail.com>

* remove code for legacy methods, was never actually made public

Signed-off-by: clux <sszynrae@gmail.com>

* simplify kube_dns fn with less unwraps

Signed-off-by: clux <sszynrae@gmail.com>
@clux clux mentioned this issue Jul 12, 2022
Closed
@JPFrancoia JPFrancoia mentioned this issue Nov 3, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working client kube Client related
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

use cluster dns to reach apiserver for rustls - for #587 kube-rs/kube
2 participants
@clux @RobinMcCorkell