Fix kubernetes_service nil ptr dereference #9788
Conversation
|
@codingllama @jimbishopp Can you guys take a look? |
I have an open question above, but happy to approve if it's too much trouble. |
|
@russjones I was waiting for Alan's question to be answered as well. I was also concerned that it could not be reproduced. |
|
@lxea LMK if this is your understanding of this issue. @codingllama This may answer the question. It looks like the k8s lib is bypassing the TLS config under certain conditions resulting in the TLS config being set to
func TLSConfigFor(c *Config) (*tls.Config, error) {
if !(c.HasCA() || c.HasCertAuth() || c.HasCertCallback() || c.TLS.Insecure || len(c.TLS.ServerName) > 0 || len(c.TLS.NextProtos) > 0) {
return nil, nil
}
...
}We then panic while writing a debug log message: func (f *Forwarder) newClusterSessionLocal(ctx authContext) (*clusterSession, error) {
...
f.log.Debugf("local Servername: %v", creds.tlsConfig.ServerName)I don't know enough about our k8s implementation yet, but I assume by the way this is written that client auth is not required? |
Yeah, this is my current understanding however I wasnt able to reproduce the error unfortunatly. |
|
@r0mant What do you think? Should we merge this without a repro? |
|
It may be fine to merge without the repro but I'm not sure the current fix checks for nil in the best place. Looking at the code, it seems like I think that would be a more appropriate place to check that tlsConfig is not nil (in addition to checking err). As for the repro, I think getting a kubeconfig from the user experiencing this issue will help. Looking at rest.TLSConfigFor implementation (it's a method from K8s client lib) it returns "nil, nil" in a few specific cases based on the kubeconfig as @jimbishopp mentioned above. |
lxea
force-pushed
the
lxea/kube_trace_fix
branch
2 times, most recently
from
0f36bfc to
f466c65
Compare
lxea
force-pushed
the
lxea/kube_trace_fix
branch
from
f466c65 to
a1f46a4
Compare
lib/kube/proxy/auth.go
Outdated
| messageArgs := "c.HasCA, " + | ||
| "c.HasCertAuth, " + | ||
| "c.HasCertCallback, " + | ||
| "c.TLS.Insecure, " + | ||
| "len(c.TLS.ServerName) > 0, " + | ||
| "len(c.TLS.NextProtos) > 0 " | ||
| return nil, trace.BadParameter("failed to generate TLS config from kubeConfig. All of %s were false", messageArgs) |
There was a problem hiding this comment.
@lxea I'm not sure this will help much in troubleshooting tbh. Can we dump the entire clientCfg in the log (or rather, it's TLS section)? But make sure to redact fields like CAData, CertData, KeyData.
lxea
force-pushed
the
lxea/kube_trace_fix
branch
3 times, most recently
from
660bcb5 to
c47908b
Compare
|
@codingllama @jimbishopp Can one of you give this another look please? We couldn't get the customer to share their kubeconfig with us so far so we want to merge this so it fixes the panic and logs the config (with sensitive fields redacted) which would help in troubleshooting if it happens again. |
lib/kube/proxy/auth.go
Outdated
| @@ -174,6 +174,19 @@ func extractKubeCreds(ctx context.Context, cluster string, clientCfg *rest.Confi | |||
| if err != nil { | |||
| return nil, trace.Wrap(err, "failed to generate TLS config from kubeconfig: %v", err) | |||
| } | |||
| if tlsConfig == nil { | |||
| cc := rest.CopyConfig(clientCfg) | |||
There was a problem hiding this comment.
Do we really need to echo the entire config? It seems a bit dangerous to do.
Maybe use rest.AnonymousClientConfig? Although I'd rather not echo everything if possible.
lxea
force-pushed
the
lxea/kube_trace_fix
branch
from
c47908b to
be58bb3
Compare
lxea
force-pushed
the
lxea/kube_trace_fix
branch
2 times, most recently
from
7a45e40 to
b9340a1
Compare
lxea
force-pushed
the
lxea/kube_trace_fix
branch
from
729233b to
5e9b25a
Compare
Based off of the stack trace in #9721 (havent successfuly reproduced the issue), it appears that the nil ptr dereference happens when
creds.tlsConfigis nil.#9721