Skip to content

[kube] return Kubernetes API errors when using Websocket API#46796

Merged
tigrato merged 1 commit intomasterfrom
tigrato/use-spdy-fallback-kube
Sep 20, 2024
Merged

[kube] return Kubernetes API errors when using Websocket API#46796
tigrato merged 1 commit intomasterfrom
tigrato/use-spdy-fallback-kube

Conversation

@tigrato
Copy link
Copy Markdown
Contributor

@tigrato tigrato commented Sep 20, 2024
edited
Loading

Kubernetes 1.30 introduced a new Remote Command protocol utilizing WebSockets, replacing the outdated SPDY protocol. However, the new executor protocol did not return status errors when API calls failed.

In the context of Teleport, this led to a problem where permission errors were handled by the WebSocket executor and never relayed to users.

This pull request addresses the issue by implementing a status parser for errors in the WebSocket-based Kubernetes API.

Changelog: Fixes a regression where Teleport swallowed Kubernetes API errors when using kubectl exec with a Kubernetes cluster newer than v1.30.0.

rosstimothy
rosstimothy reviewed Sep 20, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@rosstimothy rosstimothy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add test coverage?

@tigrato
[kube] return Kubernetes API errors when using Websocket API
f615f9d 
Kubernetes 1.30 introduced a new Remote Command protocol that uses WebSockets, replacing the deprecated SPDY protocol. The new executor protocol didn't returned the status error when API call failed.

For Teleport, this creates an issue because permission errors are absorbed by the WebSocket executor and were never passed to users.

This pull request implements a status parser for websocket Kubernetes API error.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
@tigrato tigrato changed the title [kube] use SPDY fallback for Kubernetes executor when Websockets are supported [kube] return Kubernetes API errors when using Websocket API Sep 20, 2024
@tigrato tigrato requested a review from rosstimothy September 20, 2024 14:34
@tigrato tigrato force-pushed the tigrato/use-spdy-fallback-kube branch from ec3f478 to f615f9d Compare September 20, 2024 14:34
@tigrato
Copy link
Copy Markdown
Contributor Author

tigrato commented Sep 20, 2024

Can we add test coverage?

done. I also modified the approach

@tigrato tigrato enabled auto-merge September 20, 2024 14:39
rosstimothy
rosstimothy approved these changes Sep 20, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@rosstimothy rosstimothy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @tigrato!

@tigrato tigrato added this pull request to the merge queue Sep 20, 2024
Merged via the queue into master with commit 94f23dd Sep 20, 2024
@tigrato tigrato deleted the tigrato/use-spdy-fallback-kube branch September 20, 2024 16:12
@public-teleport-github-review-bot
Copy link
Copy Markdown

public-teleport-github-review-bot Bot commented Sep 20, 2024

@tigrato See the table below for backport results.

Branch Result
branch/v14 Failed
branch/v15 Failed
branch/v16 Create PR

@tigrato tigrato mentioned this pull request Sep 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greedy52 greedy52 greedy52 approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees

No one assigned

Labels

kubernetes-access size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tigrato @greedy52 @rosstimothy