New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Where does kubeadm take the proxy settings from? #324
Comments
@erikbgithub Thanks a lot for this issue! So I can't comment on the exact statements above really, but I'd be very glad if you wanted to contribute to kubeadm to make the behavior behind a proxy better. To answer your question, here is the relevant go code: func getProxyEnvVars() []v1.EnvVar {
envs := []v1.EnvVar{}
for _, env := range os.Environ() {
pos := strings.Index(env, "=")
if pos == -1 {
// malformed environment variable, skip it.
continue
}
name := env[:pos]
value := env[pos+1:]
if strings.HasSuffix(strings.ToLower(name), "_proxy") && value != "" {
envVar := v1.EnvVar{Name: name, Value: value}
envs = append(envs, envVar)
}
}
return envs
} https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/preflight/checks.go#L291 // HTTPProxyCheck checks if https connection to specific host is going
// to be done directly or over proxy. If proxy detected, it will return warning.
type HTTPProxyCheck struct {
Proto string
Host string
Port int
}
func (hst HTTPProxyCheck) Check() (warnings, errors []error) {
url := fmt.Sprintf("%s://%s:%d", hst.Proto, hst.Host, hst.Port)
req, err := http.NewRequest("GET", url, nil)
if err != nil {
return nil, []error{err}
}
proxy, err := http.DefaultTransport.(*http.Transport).Proxy(req)
if err != nil {
return nil, []error{err}
}
if proxy != nil {
return []error{fmt.Errorf("Connection to %q uses proxy %q. If that is not intended, adjust your proxy settings", url, proxy)}, nil
}
return nil, nil
}
Couldn't agree more |
cc @kad @timothysc |
@luxas Thanks I'll work through that when I get a round tuit. Before I can supply patches I need to learn some go though, so I would appreciate if others can churn in for now. ;-) First sub-question I'll look into is what go actually gets via |
@erikbgithub Let me know if you need some help with creating patches and I'll help |
@erikbgithub as original author of that check, I'll be happy to answer any questions.
|
I "fixed" this problem by including all my cluster node IPs in NO_PROXY and using the same NO_PROXY on all the minions when joining the cluster.
To be honest, I'm not sure if it's all the IP addresses being enumerated or the .example.com that fixed the problem. |
if PR kubernetes/kubernetes#52788 will be merged, it will be possible to specify in NO_PROXY IP ranges for your nodes. it will simplify things a lot. |
A little bit weired. if i look into the code "checks.go".
In enterprise...there are necessarily three proxy options. (http_proxy, https_proxy, no_proxy)
|
I want to ask if kubeadm join supports http_proxy ? I manage to get kubeadm init to work with http_proxy and no_proxy but it seems kubeadm join produce errors such as
and also which let me to believe maybe http_proxy and no_proxy is not yet supported for kubeadm join. |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kubeadm: Utilize transport defaults from API machinery for http calls inside kubeadm **What this PR does / why we need it**: Default Go HTTP transport does not allow to use CIDR notations in NO_PROXY variables, thus for certain HTTP calls that is done inside kubeadm user needs to put explicitly multiple IP addresses. For most of calls done via API machinery it is get solved by setting different Proxy resolver. This patch allows to use CIDR notations in NO_PROXY variables for currently all other HTTP calls that is made inside kubeadm. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes kubernetes/kubeadm#324 **Special notes for your reviewer**: Based on discussion in #52788, replacing this patch replacing all calls inside kubeadm that are done via DefaultTransport to explicitly defined and initialized with API machinery defaults Transport and http client. **Release note**: ```release-note - kubeadm now supports CIDR notations in NO_PROXY environment variable ```
Running into this problem once more. It still uses the proxy incorrectly and I seem to be unable to modify proxy and no_proxy settings. |
From my experience, kubeadm use the proxy defined in /etc/environment |
Yup - in my case it is also /etc/environment |
in my case, it is /etc/environment as well. I have to remove the entries from the/etc/environment. It will be good if the kube init/Join has a flag to override this |
I must be missing something obvious or not obviously missing something. kubeadm, can't seem to figure out the proxy settings. kubeadm config images pull -v 4 I can wget or curl on that file with no problems, but the kubeadm tool doesn't seem to use the proxies. what am I missing? I have them set in my .bashrc in the /etc/profile.d in /etc/environment. They all have correct settings for the proxy, but kubeadm isn't using them. |
Kubeadm shells to crictl, but we just fixed a bug where it did not pass the proxy env vars to the command. Workaround for older versions is to list and pull images manually. See comments on the issue. |
That seems like a different problem. To fetch the version kubeadm constructs a go http client. It does respect the proxy env vars on the host. So make sure those are set. |
see my answer here |
It's not /etc/environment, it's not the current bash session that kubeadm is running in, it's not docker or kubelet environment. I verified this by setting
no_proxy
to a different value in all these instances. And for some reason after akubeadm init
it still continues to set another value forno_proxy
. Restart, daemon-reload, restarting the services all doesn't change that fact.Honestly it's really annoying that it only prints the line "the ip address fo.oo.ba.rr has a proxy set to blubb" instead of saying where it takes the value from. And why doesn't it simply read the value from /etc/environment, which is the one true source of truth when it comes to proxy setting, or the current bash session in which I call
kubeadm
which is the easiest place to make changes to?What I expect would be something like this:
http_proxy
. (orhttps_proxy
if secure communication is configured)HTTP_PROXY
and warns if it is different.http_proxy
in /etc/environment. It warns if it is different.kubeadm reset
internally.no_proxy
settings (add the end it may get cut of). <-- Also it would be so much better to use a hostname if possible, sinceno_proxy
is actually meant for names, not IPs.I seriously can't express how many working hours it would save people in enterprise networks.
The text was updated successfully, but these errors were encountered: