Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

In-cluster config uses an IP address instead of recommended DNS name #587

Closed
RobinMcCorkell opened this issue Jul 9, 2021 · 5 comments · Fixed by #597
Closed

In-cluster config uses an IP address instead of recommended DNS name #587

RobinMcCorkell opened this issue Jul 9, 2021 · 5 comments · Fixed by #597
Labels
bug Something isn't working client kube Client related

Comments

@RobinMcCorkell
Copy link

When inferring in-cluster config, the code looks for KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT and creates a URL based on that, e.g. https://10.43.0.1:443. This breaks when using rustls-tls instead of openssl, due to missing support in the upstream libraries as noted in #123 (comment) and other places.

The recommended way to access the API server from a pod is with the kubernetes.default.svc DNS name, not with the service IP, which would avoid the rustls issue entirely. Is there a reason kube-rs uses the service IP directly?

@RobinMcCorkell
Copy link
Author

As an immediate workaround, it appears that adding an environment variable KUBERNETES_SERVICE_HOST = kubernetes.default.svc at least allows rustls builds to work.

@clux clux added the client kube Client related label Jul 9, 2021
@clux
Copy link
Member

clux commented Jul 9, 2021

Oh interesting. Based on that documentation it looks like we are using a legacy / misguided method. Our method is not mentioned there anymore, and can test + fix this pretty easily. Thanks for the report!

@clux clux added the bug Something isn't working label Jul 9, 2021
@RobinMcCorkell
Copy link
Author

RobinMcCorkell commented Jul 9, 2021

I assume this crate was modelled off the Golang libraries, where I found this interesting little comment ;) https://github.com/kubernetes/client-go/blob/7a90b08589bbf0d36a27041d5491b7b8d5430f15/rest/config.go#L506-L512

@clux
Copy link
Member

clux commented Jul 9, 2021

hah! that's actually current master! practice what you preach, hey.

@clux
Copy link
Member

clux commented Jul 21, 2021

Draft PR for this at in #597
Have not had the time to test it, and probably won't for a little while, so any help is appreciated.

@clux clux linked a pull request Jul 21, 2021 that will close this issue
@clux clux closed this as completed in #597 Jul 26, 2021
clux added a commit that referenced this issue Jul 26, 2021
* use cluster dns to reach apiserver when on rustls - for #587

* ci test run with rustls
clux added a commit that referenced this issue Apr 13, 2022
This is the recommended, and only documented method on https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/
The legacy method has issues with ipv6 and it's time to retire it.

We trialled the new method for 6months via #587 without any reports.

Closes #874

Signed-off-by: clux <[email protected]>
clux added a commit that referenced this issue Apr 13, 2022
* Switch to kubernetes dns for incluster url everywhere

This is the recommended, and only documented method on https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/
The legacy method has issues with ipv6 and it's time to retire it.

We trialled the new method for 6months via #587 without any reports.

Closes #874

Signed-off-by: clux <[email protected]>

* remove code for legacy methods, was never actually made public

Signed-off-by: clux <[email protected]>

* simplify kube_dns fn with less unwraps

Signed-off-by: clux <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working client kube Client related
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants