-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add HTTP proxy setting to kubeconfig #351
Comments
I've been looking into this issue ,I'd like to work on this |
Does this issue require to add something like this for the http-proxy , where details like the port and the ip on which the proxy server is running can be stored in a struct type and stored in the kubeconfig for the cluster. |
Additional http-proxy field is added to the Cluster struct so that the kubeconfigs can have the proxy details to connect to the respective APIserver. fixes:kubernetes/client-go#351
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
@mikedanese Are you still working on this? This will be useful for the case where a Cluster API control plane needs to reach clusters via proxies.. |
Some details on our use case: We will run Cluster API (CAPI) controllers in a management cluster (in our infrastructure), and create workload clusters in other infrastructures. The CAPI controllers (as of v1alpha2) require access the workload clusters' APIs. However, some workload clusters are deployed in a network that does not allow inbound connections. Therefore we are looking for a way to send requests from the CAPI controllers to the workload clusters' APIs that does not require inbound connections. In general, there are many ways to solve this problem. We would like to find one that (a) requires no changes to CAPI controller code, and (b) no changes to the workload cluster. The CAPI controllers use a kubeconfig (stored as a Secrets) to talk to each workload cluster's API. There is one kubeconfig for each workload cluster. If we modify the kubeconfig, we can modify how the CAPI controllers reach the workload cluster, without changing the controller code. We can update the We can update the kubeconfig to point to an HTTP/S proxy. This requires no changes to the workload cluster's kube-apiserver server cert. |
sig-apimachinery meeting discussion comments:
|
I wish I had been to the sig meeting.
Nope. https_proxy are authenticate via whatever is in the cert bundle. http_proxy and https_proxy need to trust the kube-apiserver but the client won't. socks5 doesn't use ssl between client and proxy, and the connection is e2e encrypted to the apiserver. Why would we ask everyone who wants to use a proxy to implement a custom protocol when e.g. ssh supports socks5 tunneling? This seems like a different FR.
Why? We already support this with an env variable. The FR is to add an override to kubeconfig. |
@mikedanese Thanks for following up here. I apologize you missed the meeting, I assumed you'd be there, but in hindsight I should have pinged you about it. |
Wanted to add my user story here because I think @mikedanese MR would could nicely simplify our own workflows in GKE, but moving parts would still remain in order to make the experience seamless. We're using private clusters in GKE. Right now, we're having to wrap We're typically using Every time I switch into a new shell, I need to export this environment variable. Because I work with multiple clusters, no single value works. It also inadvertently affects any other network interactions I might have. This makes using GKE private clusters slightly more painful than it ought to be. FWIW GKE's own documentation recommends running privoxy to act as an https_proxy to Kubernetes masters. If kubernetes/kubernetes#81443 gets merged, it may be helpful to make the gcloud/gke folks aware of it, in order to update |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Nice, thanks! Do you know if this kind of things get backported or they only enter in the latest binaries? |
This will be 1.19+ only |
@liggitt re: your comment in May, is this feature now available in kubectl / KUBECONFIG from 1.19 onwards? I have a use-case where I can use HTTP_PROXY with kubectl, but need to use a tool that reads and parses a kubeconfig instead, so I don't have a way to pass this in the usual env-var way |
How do I set no_proxy in kube config? |
@vickyvikas7988 did you find out how to do it? |
@Trolldemorted @vickyvikas7988 does setting the proxy per-cluster do what you need? kubernetes/website#32894 |
I want to use |
Note that this issue is closed already. According to https://github.com/kubernetes/kubernetes/blob/f02682c628c530219966a00ae002d799f0d813dc/staging/src/k8s.io/client-go/rest/config.go#L137-L139 the environment variable will take effect if the configuration is set to nil.
That last sentence suggests you might be able to configure it from there by setting If you can't do it from |
Whilst managing several Kubernetes clusters, there could be potential scenarios where certain clusters require the usage of an HTTP proxy to be accessible. It would be useful to have http-proxy as a per cluster setting on the kube config so that it is easy to talk to clusters that require and don't require the usage of a proxy.
The text was updated successfully, but these errors were encountered: