Merged
Conversation
Kubernetes 1.29 introduced support for the new exec over Websocket protocol. In Kubernetes 1.29, this was an alpha feature which wasn't enabled by default, but in Kubernetes 1.30 this feature flag was promoted to beta stage and enabled by default. As such, we implemented the logic to always prefer the Kubernetes exec over websocket if the Kubernetes cluster supported it. The check that verified if we should prefer the websocket was a simple Kubernetes version check and the condition was `version >= 1.30.0`. For OpenShift this check is not valid as they ship Kubernetes 1.30+ with that feature disabled. Likely disabled at loadbalancer level. Given that the version check wasn't reliable for all Kubernetes supported clusters, this commit changes the logic to always use a fallback executor. This executor initially tries to establish the websocket connection and if it fails, it will fallback to the second executor. In our case, the preferred executor is websocket and the secondary executor is SPDY. Fixes #55695 Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
zmb3
approved these changes
Jun 13, 2025
rosstimothy
approved these changes
Jun 13, 2025
public-teleport-github-review-bot
Bot
removed request for
creack,
ryanclark and
vapopov
creack
approved these changes
Jun 13, 2025
Contributor
This was referenced Jun 13, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Kubernetes 1.29 introduced support for the new exec over Websocket protocol. In Kubernetes 1.29, this was an alpha feature which wasn't enabled by default, but in Kubernetes 1.30 this feature flag was promoted to beta stage and enabled by default. As such, we implemented the logic to always prefer the Kubernetes exec over websocket if the Kubernetes cluster supported it. The check that verified if we should prefer the websocket was a simple Kubernetes version check and the condition was
version >= 1.30.0.For OpenShift this check is not valid as they ship Kubernetes 1.30+ with that feature disabled. Likely disabled at loadbalancer level. Given that the version check wasn't reliable for all Kubernetes supported clusters, this commit changes the logic to always use a fallback executor.
This executor initially tries to establish the websocket connection and if it fails, it will fallback to the second executor. In our case, the preferred executor is websocket and the secondary executor is SPDY.
Fixes #55695
Changelog: Fixed a bug that could cause Kubernetes exec requests to fail when the Kubernetes cluster had the WebSocket-based exec protocol disabled.