github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove --redirect-container-streaming functionality (#95935)

Browse Source 
* Remove --redirect-container-streaming functionality

* Update bazel
This commit is contained in:
Tim Allclair 2020-11-09 11:50:11 -08:00 committed by GitHub
parent 10221a8dac
commit a439bc5572
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 60 additions and 175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
cmd/kubelet/app/options/container_runtime.go
View File

@ -45,12 +45,11 @@ func NewContainerRuntimeOptions() *config.ContainerRuntimeOptions {
} }
return &config.ContainerRuntimeOptions{ return &config.ContainerRuntimeOptions{
ContainerRuntime: kubetypes.DockerContainerRuntime, ContainerRuntime: kubetypes.DockerContainerRuntime,
RedirectContainerStreaming: false, DockerEndpoint: dockerEndpoint,
DockerEndpoint: dockerEndpoint, DockershimRootDirectory: "/var/lib/dockershim",
DockershimRootDirectory: "/var/lib/dockershim", PodSandboxImage: defaultPodSandboxImage,
PodSandboxImage: defaultPodSandboxImage, ImagePullProgressDeadline: metav1.Duration{Duration: 1 * time.Minute},
ImagePullProgressDeadline: metav1.Duration{Duration: 1 * time.Minute},
CNIBinDir: "/opt/cni/bin", CNIBinDir: "/opt/cni/bin",
CNIConfDir: "/etc/cni/net.d", CNIConfDir: "/etc/cni/net.d",

13
pkg/kubelet/config/flags.go
View File

@ -31,15 +31,6 @@ type ContainerRuntimeOptions struct {
ContainerRuntime string ContainerRuntime string
// RuntimeCgroups that container runtime is expected to be isolated in. // RuntimeCgroups that container runtime is expected to be isolated in.
RuntimeCgroups string RuntimeCgroups string
// RedirectContainerStreaming enables container streaming redirect.
// When RedirectContainerStreaming is false, kubelet will proxy container streaming data
// between apiserver and container runtime. This approach is more secure, but the proxy
// introduces some overhead.
// When RedirectContainerStreaming is true, kubelet will return an http redirect to apiserver,
// and apiserver will access container runtime directly. This approach is more performant,
// but less secure because the connection between apiserver and container runtime is not
// authenticated.
RedirectContainerStreaming bool
// Docker-specific options. // Docker-specific options.
@ -83,8 +74,8 @@ func (s *ContainerRuntimeOptions) AddFlags(fs *pflag.FlagSet) {
// General settings. // General settings.
fs.StringVar(&s.ContainerRuntime, "container-runtime", s.ContainerRuntime, "The container runtime to use. Possible values: 'docker', 'remote'.") fs.StringVar(&s.ContainerRuntime, "container-runtime", s.ContainerRuntime, "The container runtime to use. Possible values: 'docker', 'remote'.")
fs.StringVar(&s.RuntimeCgroups, "runtime-cgroups", s.RuntimeCgroups, "Optional absolute name of cgroups to create and run the runtime in.") fs.StringVar(&s.RuntimeCgroups, "runtime-cgroups", s.RuntimeCgroups, "Optional absolute name of cgroups to create and run the runtime in.")
fs.BoolVar(&s.RedirectContainerStreaming, "redirect-container-streaming", s.RedirectContainerStreaming, "Enables container streaming redirect. If false, kubelet will proxy container streaming data between apiserver and container runtime; if true, kubelet will return an http redirect to apiserver, and apiserver will access container runtime directly. The proxy approach is more secure, but introduces some overhead. The redirect approach is more performant, but less secure because the connection between apiserver and container runtime may not be authenticated.") _ = fs.Bool("redirect-container-streaming", false, "[REMOVED]") // TODO: Delete in v1.22
fs.MarkDeprecated("redirect-container-streaming", "Container streaming redirection will be removed from the kubelet in v1.20, and this flag will be removed in v1.22. For more details, see http://git.k8s.io/enhancements/keps/sig-node/20191205-container-streaming-requests.md") fs.MarkDeprecated("redirect-container-streaming", "Container streaming redirection has been removed from the kubelet as of v1.20, and this flag will be removed in v1.22. For more details, see http://git.k8s.io/enhancements/keps/sig-node/20191205-container-streaming-requests.md")
// Docker-specific settings. // Docker-specific settings.
fs.StringVar(&s.DockershimRootDirectory, "experimental-dockershim-root-directory", s.DockershimRootDirectory, "Path to the dockershim root directory.") fs.StringVar(&s.DockershimRootDirectory, "experimental-dockershim-root-directory", s.DockershimRootDirectory, "Path to the dockershim root directory.")

28
pkg/kubelet/dockershim/docker_service.go
View File

@ -192,7 +192,7 @@ func NewDockerClientFromConfig(config *ClientConfig) libdocker.Interface {
// NewDockerService creates a new `DockerService` struct. // NewDockerService creates a new `DockerService` struct.
// NOTE: Anything passed to DockerService should be eventually handled in another way when we switch to running the shim as a different process. // NOTE: Anything passed to DockerService should be eventually handled in another way when we switch to running the shim as a different process.
func NewDockerService(config *ClientConfig, podSandboxImage string, streamingConfig *streaming.Config, pluginSettings *NetworkPluginSettings, func NewDockerService(config *ClientConfig, podSandboxImage string, streamingConfig *streaming.Config, pluginSettings *NetworkPluginSettings,
cgroupsName string, kubeCgroupDriver string, dockershimRootDir string, startLocalStreamingServer bool) (DockerService, error) { cgroupsName string, kubeCgroupDriver string, dockershimRootDir string) (DockerService, error) {
client := NewDockerClientFromConfig(config) client := NewDockerClientFromConfig(config)
@ -211,11 +211,10 @@ func NewDockerService(config *ClientConfig, podSandboxImage string, streamingCon
client: client, client: client,
execHandler: &NativeExecHandler{}, execHandler: &NativeExecHandler{},
}, },
containerManager: cm.NewContainerManager(cgroupsName, client), containerManager: cm.NewContainerManager(cgroupsName, client),
checkpointManager: checkpointManager, checkpointManager: checkpointManager,
startLocalStreamingServer: startLocalStreamingServer, networkReady: make(map[string]bool),
networkReady: make(map[string]bool), containerCleanupInfos: make(map[string]*containerCleanupInfo),
containerCleanupInfos: make(map[string]*containerCleanupInfo),
} }
// check docker version compatibility. // check docker version compatibility.
@ -307,9 +306,6 @@ type dockerService struct {
// version checking for some operations. Use this cache to avoid querying // version checking for some operations. Use this cache to avoid querying
// the docker daemon every time we need to do such checks. // the docker daemon every time we need to do such checks.
versionCache *cache.ObjectCache versionCache *cache.ObjectCache
// startLocalStreamingServer indicates whether dockershim should start a
// streaming server on localhost.
startLocalStreamingServer bool
// containerCleanupInfos maps container IDs to the `containerCleanupInfo` structs // containerCleanupInfos maps container IDs to the `containerCleanupInfo` structs
// needed to clean up after containers have been removed. // needed to clean up after containers have been removed.
@ -409,14 +405,12 @@ func (ds *dockerService) GetPodPortMappings(podSandboxID string) ([]*hostport.Po
func (ds *dockerService) Start() error { func (ds *dockerService) Start() error {
ds.initCleanup() ds.initCleanup()
// Initialize the legacy cleanup flag. go func() {
if ds.startLocalStreamingServer { if err := ds.streamingServer.Start(true); err != nil {
go func() { klog.Fatalf("Streaming server stopped unexpectedly: %v", err)
if err := ds.streamingServer.Start(true); err != nil { }
klog.Fatalf("Streaming server stopped unexpectedly: %v", err) }()
}
}()
}
return ds.containerManager.Start() return ds.containerManager.Start()
} }

24
pkg/kubelet/kubelet.go
View File

@ -22,7 +22,6 @@ import (
"math" "math"
"net" "net"
"net/http" "net/http"
"net/url"
"os" "os"
"path" "path"
sysruntime "runtime" sysruntime "runtime"
@ -228,7 +227,6 @@ type Dependencies struct {
KubeletConfigController *kubeletconfig.Controller KubeletConfigController *kubeletconfig.Controller
RemoteRuntimeService internalapi.RuntimeService RemoteRuntimeService internalapi.RuntimeService
RemoteImageService internalapi.ImageManagerService RemoteImageService internalapi.ImageManagerService
criHandler http.Handler
dockerLegacyService legacy.DockerLegacyService dockerLegacyService legacy.DockerLegacyService
// remove it after cadvisor.UsingLegacyCadvisorStats dropped. // remove it after cadvisor.UsingLegacyCadvisorStats dropped.
useLegacyCadvisorStats bool useLegacyCadvisorStats bool
@ -503,7 +501,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
daemonEndpoints: daemonEndpoints, daemonEndpoints: daemonEndpoints,
containerManager: kubeDeps.ContainerManager, containerManager: kubeDeps.ContainerManager,
containerRuntimeName: containerRuntime, containerRuntimeName: containerRuntime,
redirectContainerStreaming: crOptions.RedirectContainerStreaming,
nodeIPs: nodeIPs, nodeIPs: nodeIPs,
nodeIPValidator: validateNodeIP, nodeIPValidator: validateNodeIP,
clock: clock.RealClock{}, clock: clock.RealClock{},
@ -567,7 +564,6 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
klet.resourceAnalyzer = serverstats.NewResourceAnalyzer(klet, kubeCfg.VolumeStatsAggPeriod.Duration) klet.resourceAnalyzer = serverstats.NewResourceAnalyzer(klet, kubeCfg.VolumeStatsAggPeriod.Duration)
klet.dockerLegacyService = kubeDeps.dockerLegacyService klet.dockerLegacyService = kubeDeps.dockerLegacyService
klet.criHandler = kubeDeps.criHandler
klet.runtimeService = kubeDeps.RemoteRuntimeService klet.runtimeService = kubeDeps.RemoteRuntimeService
if utilfeature.DefaultFeatureGate.Enabled(features.RuntimeClass) && kubeDeps.KubeClient != nil { if utilfeature.DefaultFeatureGate.Enabled(features.RuntimeClass) && kubeDeps.KubeClient != nil {
@ -942,9 +938,6 @@ type Kubelet struct {
// The name of the container runtime // The name of the container runtime
containerRuntimeName string containerRuntimeName string
// redirectContainerStreaming enables container streaming redirect.
redirectContainerStreaming bool
// Container runtime. // Container runtime.
containerRuntime kubecontainer.Runtime containerRuntime kubecontainer.Runtime
@ -1112,9 +1105,6 @@ type Kubelet struct {
// The AppArmor validator for checking whether AppArmor is supported. // The AppArmor validator for checking whether AppArmor is supported.
appArmorValidator apparmor.Validator appArmorValidator apparmor.Validator
// The handler serving CRI streaming calls (exec/attach/port-forward).
criHandler http.Handler
// experimentalHostUserNamespaceDefaulting sets userns=true when users request host namespaces (pid, ipc, net), // experimentalHostUserNamespaceDefaulting sets userns=true when users request host namespaces (pid, ipc, net),
// are using non-namespaced capabilities (mknod, sys_time, sys_module), the pod contains a privileged container, // are using non-namespaced capabilities (mknod, sys_time, sys_module), the pod contains a privileged container,
// or using host path volumes. // or using host path volumes.
@ -2188,7 +2178,7 @@ func (kl *Kubelet) ResyncInterval() time.Duration {
// ListenAndServe runs the kubelet HTTP server. // ListenAndServe runs the kubelet HTTP server.
func (kl *Kubelet) ListenAndServe(address net.IP, port uint, tlsOptions *server.TLSOptions, auth server.AuthInterface, enableCAdvisorJSONEndpoints, enableDebuggingHandlers, enableContentionProfiling, enableSystemLogHandler bool) { func (kl *Kubelet) ListenAndServe(address net.IP, port uint, tlsOptions *server.TLSOptions, auth server.AuthInterface, enableCAdvisorJSONEndpoints, enableDebuggingHandlers, enableContentionProfiling, enableSystemLogHandler bool) {
server.ListenAndServeKubeletServer(kl, kl.resourceAnalyzer, address, port, tlsOptions, auth, enableCAdvisorJSONEndpoints, enableDebuggingHandlers, enableContentionProfiling, kl.redirectContainerStreaming, enableSystemLogHandler, kl.criHandler) server.ListenAndServeKubeletServer(kl, kl.resourceAnalyzer, address, port, tlsOptions, auth, enableCAdvisorJSONEndpoints, enableDebuggingHandlers, enableContentionProfiling, enableSystemLogHandler)
} }
// ListenAndServeReadOnly runs the kubelet HTTP server in read-only mode. // ListenAndServeReadOnly runs the kubelet HTTP server in read-only mode.
@ -2270,16 +2260,6 @@ func getStreamingConfig(kubeCfg *kubeletconfiginternal.KubeletConfiguration, kub
SupportedRemoteCommandProtocols: streaming.DefaultConfig.SupportedRemoteCommandProtocols, SupportedRemoteCommandProtocols: streaming.DefaultConfig.SupportedRemoteCommandProtocols,
SupportedPortForwardProtocols: streaming.DefaultConfig.SupportedPortForwardProtocols, SupportedPortForwardProtocols: streaming.DefaultConfig.SupportedPortForwardProtocols,
} }
if !crOptions.RedirectContainerStreaming { config.Addr = net.JoinHostPort("localhost", "0")
config.Addr = net.JoinHostPort("localhost", "0")
} else {
// Use a relative redirect (no scheme or host).
config.BaseURL = &url.URL{
Path: "/cri/",
}
if kubeDeps.TLSOptions != nil {
config.TLSConfig = kubeDeps.TLSOptions.Config
}
}
return config return config
} }

5
pkg/kubelet/kubelet_dockershim.go
View File

@ -52,13 +52,10 @@ func runDockershim(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
ImagePullProgressDeadline: kubeDeps.DockerOptions.ImagePullProgressDeadline, ImagePullProgressDeadline: kubeDeps.DockerOptions.ImagePullProgressDeadline,
} }
ds, err := dockershim.NewDockerService(dockerClientConfig, crOptions.PodSandboxImage, streamingConfig, ds, err := dockershim.NewDockerService(dockerClientConfig, crOptions.PodSandboxImage, streamingConfig,
&pluginSettings, runtimeCgroups, kubeCfg.CgroupDriver, crOptions.DockershimRootDirectory, !crOptions.RedirectContainerStreaming) &pluginSettings, runtimeCgroups, kubeCfg.CgroupDriver, crOptions.DockershimRootDirectory)
if err != nil { if err != nil {
return err return err
} }
if crOptions.RedirectContainerStreaming {
kubeDeps.criHandler = ds
}
// The unix socket for kubelet <-> dockershim communication, dockershim start before runtime service init. // The unix socket for kubelet <-> dockershim communication, dockershim start before runtime service init.
klog.V(5).Infof("RemoteRuntimeEndpoint: %q, RemoteImageEndpoint: %q", klog.V(5).Infof("RemoteRuntimeEndpoint: %q, RemoteImageEndpoint: %q",

1
pkg/kubelet/server/BUILD
View File

@ -89,7 +89,6 @@ go_test(
"//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authentication/user:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library", "//staging/src/k8s.io/apiserver/pkg/authorization/authorizer:go_default_library",
"//staging/src/k8s.io/client-go/tools/remotecommand:go_default_library", "//staging/src/k8s.io/client-go/tools/remotecommand:go_default_library",
"//staging/src/k8s.io/client-go/util/testing:go_default_library",
"//staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2:go_default_library", "//staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2:go_default_library",
"//staging/src/k8s.io/kubelet/pkg/apis/stats/v1alpha1:go_default_library", "//staging/src/k8s.io/kubelet/pkg/apis/stats/v1alpha1:go_default_library",
"//vendor/github.com/google/cadvisor/info/v1:go_default_library", "//vendor/github.com/google/cadvisor/info/v1:go_default_library",

6
pkg/kubelet/server/auth_test.go
View File

@ -112,10 +112,8 @@ func AuthzTestCases() []AuthzTestCase {
"/attach/{podNamespace}/{podID}/{uid}/{containerName}": "proxy", "/attach/{podNamespace}/{podID}/{uid}/{containerName}": "proxy",
"/configz": "proxy", "/configz": "proxy",
"/containerLogs/{podNamespace}/{podID}/{containerName}": "proxy", "/containerLogs/{podNamespace}/{podID}/{containerName}": "proxy",
"/cri/": "proxy", "/debug/flags/v": "proxy",
"/cri/foo": "proxy", "/debug/pprof/{subpath:*}": "proxy",
"/debug/flags/v": "proxy",
"/debug/pprof/{subpath:*}": "proxy",
"/exec/{podNamespace}/{podID}/{containerName}": "proxy", "/exec/{podNamespace}/{podID}/{containerName}": "proxy",
"/exec/{podNamespace}/{podID}/{uid}/{containerName}": "proxy", "/exec/{podNamespace}/{podID}/{uid}/{containerName}": "proxy",
"/healthz": "proxy", "/healthz": "proxy",

61
pkg/kubelet/server/server.go
View File

@ -41,7 +41,7 @@ import (
"k8s.io/kubernetes/pkg/kubelet/metrics/collectors" "k8s.io/kubernetes/pkg/kubelet/metrics/collectors"
"k8s.io/utils/clock" "k8s.io/utils/clock"
"k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
@ -89,13 +89,12 @@ const (
// Server is a http.Handler which exposes kubelet functionality over HTTP. // Server is a http.Handler which exposes kubelet functionality over HTTP.
type Server struct { type Server struct {
auth AuthInterface auth AuthInterface
host HostInterface host HostInterface
restfulCont containerInterface restfulCont containerInterface
metricsBuckets sets.String metricsBuckets sets.String
metricsMethodBuckets sets.String metricsMethodBuckets sets.String
resourceAnalyzer stats.ResourceAnalyzer resourceAnalyzer stats.ResourceAnalyzer
redirectContainerStreaming bool
} }
// TLSOptions holds the TLS options. // TLSOptions holds the TLS options.
@ -144,11 +143,9 @@ func ListenAndServeKubeletServer(
enableCAdvisorJSONEndpoints, enableCAdvisorJSONEndpoints,
enableDebuggingHandlers, enableDebuggingHandlers,
enableContentionProfiling, enableContentionProfiling,
redirectContainerStreaming, enableSystemLogHandler bool) {
enableSystemLogHandler bool,
criHandler http.Handler) {
klog.Infof("Starting to listen on %s:%d", address, port) klog.Infof("Starting to listen on %s:%d", address, port)
handler := NewServer(host, resourceAnalyzer, auth, enableCAdvisorJSONEndpoints, enableDebuggingHandlers, enableContentionProfiling, redirectContainerStreaming, enableSystemLogHandler, criHandler) handler := NewServer(host, resourceAnalyzer, auth, enableCAdvisorJSONEndpoints, enableDebuggingHandlers, enableContentionProfiling, enableSystemLogHandler)
s := &http.Server{ s := &http.Server{
Addr: net.JoinHostPort(address.String(), strconv.FormatUint(uint64(port), 10)), Addr: net.JoinHostPort(address.String(), strconv.FormatUint(uint64(port), 10)),
Handler: &handler, Handler: &handler,
@ -170,7 +167,7 @@ func ListenAndServeKubeletServer(
// ListenAndServeKubeletReadOnlyServer initializes a server to respond to HTTP network requests on the Kubelet. // ListenAndServeKubeletReadOnlyServer initializes a server to respond to HTTP network requests on the Kubelet.
func ListenAndServeKubeletReadOnlyServer(host HostInterface, resourceAnalyzer stats.ResourceAnalyzer, address net.IP, port uint, enableCAdvisorJSONEndpoints bool) { func ListenAndServeKubeletReadOnlyServer(host HostInterface, resourceAnalyzer stats.ResourceAnalyzer, address net.IP, port uint, enableCAdvisorJSONEndpoints bool) {
klog.V(1).Infof("Starting to listen read-only on %s:%d", address, port) klog.V(1).Infof("Starting to listen read-only on %s:%d", address, port)
s := NewServer(host, resourceAnalyzer, nil, enableCAdvisorJSONEndpoints, false, false, false, false, nil) s := NewServer(host, resourceAnalyzer, nil, enableCAdvisorJSONEndpoints, false, false, false)
server := &http.Server{ server := &http.Server{
Addr: net.JoinHostPort(address.String(), strconv.FormatUint(uint64(port), 10)), Addr: net.JoinHostPort(address.String(), strconv.FormatUint(uint64(port), 10)),
@ -224,24 +221,21 @@ func NewServer(
enableCAdvisorJSONEndpoints, enableCAdvisorJSONEndpoints,
enableDebuggingHandlers, enableDebuggingHandlers,
enableContentionProfiling, enableContentionProfiling,
redirectContainerStreaming, enableSystemLogHandler bool) Server {
enableSystemLogHandler bool,
criHandler http.Handler) Server {
server := Server{ server := Server{
host: host, host: host,
resourceAnalyzer: resourceAnalyzer, resourceAnalyzer: resourceAnalyzer,
auth: auth, auth: auth,
restfulCont: &filteringContainer{Container: restful.NewContainer()}, restfulCont: &filteringContainer{Container: restful.NewContainer()},
metricsBuckets: sets.NewString(), metricsBuckets: sets.NewString(),
metricsMethodBuckets: sets.NewString("OPTIONS", "GET", "HEAD", "POST", "PUT", "DELETE", "TRACE", "CONNECT"), metricsMethodBuckets: sets.NewString("OPTIONS", "GET", "HEAD", "POST", "PUT", "DELETE", "TRACE", "CONNECT"),
redirectContainerStreaming: redirectContainerStreaming,
} }
if auth != nil { if auth != nil {
server.InstallAuthFilter() server.InstallAuthFilter()
} }
server.InstallDefaultHandlers(enableCAdvisorJSONEndpoints) server.InstallDefaultHandlers(enableCAdvisorJSONEndpoints)
if enableDebuggingHandlers { if enableDebuggingHandlers {
server.InstallDebuggingHandlers(criHandler) server.InstallDebuggingHandlers()
// To maintain backward compatibility serve logs only when enableDebuggingHandlers is also enabled // To maintain backward compatibility serve logs only when enableDebuggingHandlers is also enabled
// see https://github.com/kubernetes/kubernetes/pull/87273 // see https://github.com/kubernetes/kubernetes/pull/87273
server.InstallSystemLogHandler(enableSystemLogHandler) server.InstallSystemLogHandler(enableSystemLogHandler)
@ -409,7 +403,7 @@ func (s *Server) InstallDefaultHandlers(enableCAdvisorJSONEndpoints bool) {
const pprofBasePath = "/debug/pprof/" const pprofBasePath = "/debug/pprof/"
// InstallDebuggingHandlers registers the HTTP request patterns that serve logs or run commands/containers // InstallDebuggingHandlers registers the HTTP request patterns that serve logs or run commands/containers
func (s *Server) InstallDebuggingHandlers(criHandler http.Handler) { func (s *Server) InstallDebuggingHandlers() {
klog.Infof("Adding debug handlers to kubelet server.") klog.Infof("Adding debug handlers to kubelet server.")
s.addMetricsBucketMatcher("run") s.addMetricsBucketMatcher("run")
@ -527,11 +521,6 @@ func (s *Server) InstallDebuggingHandlers(criHandler http.Handler) {
To(s.getRunningPods). To(s.getRunningPods).
Operation("getRunningPods")) Operation("getRunningPods"))
s.restfulCont.Add(ws) s.restfulCont.Add(ws)
s.addMetricsBucketMatcher("cri")
if criHandler != nil {
s.restfulCont.Handle("/cri/", criHandler)
}
} }
// InstallDebuggingDisabledHandlers registers the HTTP request patterns that provide better error message // InstallDebuggingDisabledHandlers registers the HTTP request patterns that provide better error message
@ -785,10 +774,6 @@ func (s *Server) getAttach(request *restful.Request, response *restful.Response)
return return
} }
if s.redirectContainerStreaming {
http.Redirect(response.ResponseWriter, request.Request, url.String(), http.StatusFound)
return
}
proxyStream(response.ResponseWriter, request.Request, url) proxyStream(response.ResponseWriter, request.Request, url)
} }
@ -813,10 +798,6 @@ func (s *Server) getExec(request *restful.Request, response *restful.Response) {
streaming.WriteError(err, response.ResponseWriter) streaming.WriteError(err, response.ResponseWriter)
return return
} }
if s.redirectContainerStreaming {
http.Redirect(response.ResponseWriter, request.Request, url.String(), http.StatusFound)
return
}
proxyStream(response.ResponseWriter, request.Request, url) proxyStream(response.ResponseWriter, request.Request, url)
} }
@ -879,10 +860,6 @@ func (s *Server) getPortForward(request *restful.Request, response *restful.Resp
streaming.WriteError(err, response.ResponseWriter) streaming.WriteError(err, response.ResponseWriter)
return return
} }
if s.redirectContainerStreaming {
http.Redirect(response.ResponseWriter, request.Request, url.String(), http.StatusFound)
return
}
proxyStream(response.ResponseWriter, request.Request, url) proxyStream(response.ResponseWriter, request.Request, url)
} }

82
pkg/kubelet/server/server_test.go
View File

@ -39,7 +39,7 @@ import (
cadvisorapiv2 "github.com/google/cadvisor/info/v2" cadvisorapiv2 "github.com/google/cadvisor/info/v2"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/httpstream" "k8s.io/apimachinery/pkg/util/httpstream"
@ -48,7 +48,6 @@ import (
"k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/authorization/authorizer" "k8s.io/apiserver/pkg/authorization/authorizer"
"k8s.io/client-go/tools/remotecommand" "k8s.io/client-go/tools/remotecommand"
utiltesting "k8s.io/client-go/util/testing"
runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1alpha2" runtimeapi "k8s.io/cri-api/pkg/apis/runtime/v1alpha2"
statsapi "k8s.io/kubelet/pkg/apis/stats/v1alpha1" statsapi "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
api "k8s.io/kubernetes/pkg/apis/core" api "k8s.io/kubernetes/pkg/apis/core"
@ -298,19 +297,17 @@ type serverTestFramework struct {
fakeKubelet *fakeKubelet fakeKubelet *fakeKubelet
fakeAuth *fakeAuth fakeAuth *fakeAuth
testHTTPServer *httptest.Server testHTTPServer *httptest.Server
criHandler *utiltesting.FakeHandler
} }
func newServerTest() *serverTestFramework { func newServerTest() *serverTestFramework {
return newServerTestWithDebug(true, false, nil) return newServerTestWithDebug(true, nil)
} }
func newServerTestWithDebug(enableDebugging, redirectContainerStreaming bool, streamingServer streaming.Server) *serverTestFramework { func newServerTestWithDebug(enableDebugging bool, streamingServer streaming.Server) *serverTestFramework {
return newServerTestWithDebuggingHandlers(enableDebugging, enableDebugging, redirectContainerStreaming, streamingServer) return newServerTestWithDebuggingHandlers(enableDebugging, enableDebugging, streamingServer)
} }
func newServerTestWithDebuggingHandlers(enableDebugging, enableSystemLogHandler, redirectContainerStreaming bool, func newServerTestWithDebuggingHandlers(enableDebugging, enableSystemLogHandler bool, streamingServer streaming.Server) *serverTestFramework {
streamingServer streaming.Server) *serverTestFramework {
fw := &serverTestFramework{} fw := &serverTestFramework{}
fw.fakeKubelet = &fakeKubelet{ fw.fakeKubelet = &fakeKubelet{
hostnameFunc: func() string { hostnameFunc: func() string {
@ -339,9 +336,6 @@ func newServerTestWithDebuggingHandlers(enableDebugging, enableSystemLogHandler,
return authorizer.DecisionAllow, "", nil return authorizer.DecisionAllow, "", nil
}, },
} }
fw.criHandler = &utiltesting.FakeHandler{
StatusCode: http.StatusOK,
}
server := NewServer( server := NewServer(
fw.fakeKubelet, fw.fakeKubelet,
stats.NewResourceAnalyzer(fw.fakeKubelet, time.Minute), stats.NewResourceAnalyzer(fw.fakeKubelet, time.Minute),
@ -349,9 +343,7 @@ func newServerTestWithDebuggingHandlers(enableDebugging, enableSystemLogHandler,
true, true,
enableDebugging, enableDebugging,
false, false,
redirectContainerStreaming, enableSystemLogHandler)
enableSystemLogHandler,
fw.criHandler)
fw.serverUnderTest = &server fw.serverUnderTest = &server
fw.testHTTPServer = httptest.NewServer(fw.serverUnderTest) fw.testHTTPServer = httptest.NewServer(fw.serverUnderTest)
return fw return fw
@ -1036,7 +1028,7 @@ func TestServeExecInContainerIdleTimeout(t *testing.T) {
ss, err := newTestStreamingServer(100 * time.Millisecond) ss, err := newTestStreamingServer(100 * time.Millisecond)
require.NoError(t, err) require.NoError(t, err)
defer ss.testHTTPServer.Close() defer ss.testHTTPServer.Close()
fw := newServerTestWithDebug(true, false, ss) fw := newServerTestWithDebug(true, ss)
defer fw.testHTTPServer.Close() defer fw.testHTTPServer.Close()
podNamespace := "other" podNamespace := "other"
@ -1077,7 +1069,6 @@ func testExecAttach(t *testing.T, verb string) {
tty bool tty bool
responseStatusCode int responseStatusCode int
uid bool uid bool
redirect bool
}{ }{
"no input or output": {responseStatusCode: http.StatusBadRequest}, "no input or output": {responseStatusCode: http.StatusBadRequest},
"stdin": {stdin: true, responseStatusCode: http.StatusSwitchingProtocols}, "stdin": {stdin: true, responseStatusCode: http.StatusSwitchingProtocols},
@ -1086,7 +1077,6 @@ func testExecAttach(t *testing.T, verb string) {
"stdout and stderr": {stdout: true, stderr: true, responseStatusCode: http.StatusSwitchingProtocols}, "stdout and stderr": {stdout: true, stderr: true, responseStatusCode: http.StatusSwitchingProtocols},
"stdin stdout and stderr": {stdin: true, stdout: true, stderr: true, responseStatusCode: http.StatusSwitchingProtocols}, "stdin stdout and stderr": {stdin: true, stdout: true, stderr: true, responseStatusCode: http.StatusSwitchingProtocols},
"stdin stdout stderr with uid": {stdin: true, stdout: true, stderr: true, responseStatusCode: http.StatusSwitchingProtocols, uid: true}, "stdin stdout stderr with uid": {stdin: true, stdout: true, stderr: true, responseStatusCode: http.StatusSwitchingProtocols, uid: true},
"stdout with redirect": {stdout: true, responseStatusCode: http.StatusFound, redirect: true},
} }
for desc := range tests { for desc := range tests {
@ -1095,7 +1085,7 @@ func testExecAttach(t *testing.T, verb string) {
ss, err := newTestStreamingServer(0) ss, err := newTestStreamingServer(0)
require.NoError(t, err) require.NoError(t, err)
defer ss.testHTTPServer.Close() defer ss.testHTTPServer.Close()
fw := newServerTestWithDebug(true, test.redirect, ss) fw := newServerTestWithDebug(true, ss)
defer fw.testHTTPServer.Close() defer fw.testHTTPServer.Close()
fmt.Println(desc) fmt.Println(desc)
@ -1203,16 +1193,8 @@ func testExecAttach(t *testing.T, verb string) {
upgradeRoundTripper httpstream.UpgradeRoundTripper upgradeRoundTripper httpstream.UpgradeRoundTripper
c *http.Client c *http.Client
) )
if test.redirect { upgradeRoundTripper = spdy.NewRoundTripper(nil, true, true)
c = &http.Client{} c = &http.Client{Transport: upgradeRoundTripper}
// Don't follow redirects, since we want to inspect the redirect response.
c.CheckRedirect = func(*http.Request, []*http.Request) error {
return http.ErrUseLastResponse
}
} else {
upgradeRoundTripper = spdy.NewRoundTripper(nil, true, true)
c = &http.Client{Transport: upgradeRoundTripper}
}
resp, err = c.Do(makeReq(t, "POST", url, "v4.channel.k8s.io")) resp, err = c.Do(makeReq(t, "POST", url, "v4.channel.k8s.io"))
require.NoError(t, err, "POSTing") require.NoError(t, err, "POSTing")
@ -1299,7 +1281,7 @@ func TestServePortForwardIdleTimeout(t *testing.T) {
ss, err := newTestStreamingServer(100 * time.Millisecond) ss, err := newTestStreamingServer(100 * time.Millisecond)
require.NoError(t, err) require.NoError(t, err)
defer ss.testHTTPServer.Close() defer ss.testHTTPServer.Close()
fw := newServerTestWithDebug(true, false, ss) fw := newServerTestWithDebug(true, ss)
defer fw.testHTTPServer.Close() defer fw.testHTTPServer.Close()
podNamespace := "other" podNamespace := "other"
@ -1335,7 +1317,6 @@ func TestServePortForward(t *testing.T) {
uid bool uid bool
clientData string clientData string
containerData string containerData string
redirect bool
shouldError bool shouldError bool
}{ }{
"no port": {port: "", shouldError: true}, "no port": {port: "", shouldError: true},
@ -1348,7 +1329,6 @@ func TestServePortForward(t *testing.T) {
"normal port with data forward": {port: "8000", clientData: "client data", containerData: "container data", shouldError: false}, "normal port with data forward": {port: "8000", clientData: "client data", containerData: "container data", shouldError: false},
"max port": {port: "65535", shouldError: false}, "max port": {port: "65535", shouldError: false},
"normal port with uid": {port: "8000", uid: true, shouldError: false}, "normal port with uid": {port: "8000", uid: true, shouldError: false},
"normal port with redirect": {port: "8000", redirect: true, shouldError: false},
} }
podNamespace := "other" podNamespace := "other"
@ -1360,7 +1340,7 @@ func TestServePortForward(t *testing.T) {
ss, err := newTestStreamingServer(0) ss, err := newTestStreamingServer(0)
require.NoError(t, err) require.NoError(t, err)
defer ss.testHTTPServer.Close() defer ss.testHTTPServer.Close()
fw := newServerTestWithDebug(true, test.redirect, ss) fw := newServerTestWithDebug(true, ss)
defer fw.testHTTPServer.Close() defer fw.testHTTPServer.Close()
portForwardFuncDone := make(chan struct{}) portForwardFuncDone := make(chan struct{})
@ -1408,26 +1388,14 @@ func TestServePortForward(t *testing.T) {
c *http.Client c *http.Client
) )
if test.redirect { upgradeRoundTripper = spdy.NewRoundTripper(nil, true, true)
c = &http.Client{} c = &http.Client{Transport: upgradeRoundTripper}
// Don't follow redirects, since we want to inspect the redirect response.
c.CheckRedirect = func(*http.Request, []*http.Request) error {
return http.ErrUseLastResponse
}
} else {
upgradeRoundTripper = spdy.NewRoundTripper(nil, true, true)
c = &http.Client{Transport: upgradeRoundTripper}
}
req := makeReq(t, "POST", url, "portforward.k8s.io") req := makeReq(t, "POST", url, "portforward.k8s.io")
resp, err := c.Do(req) resp, err := c.Do(req)
require.NoError(t, err, "POSTing") require.NoError(t, err, "POSTing")
defer resp.Body.Close() defer resp.Body.Close()
if test.redirect {
assert.Equal(t, http.StatusFound, resp.StatusCode, "status code")
return
}
assert.Equal(t, http.StatusSwitchingProtocols, resp.StatusCode, "status code") assert.Equal(t, http.StatusSwitchingProtocols, resp.StatusCode, "status code")
conn, err := upgradeRoundTripper.NewConnection(resp) conn, err := upgradeRoundTripper.NewConnection(resp)
@ -1466,22 +1434,6 @@ func TestServePortForward(t *testing.T) {
} }
} }
func TestCRIHandler(t *testing.T) {
fw := newServerTest()
defer fw.testHTTPServer.Close()
const (
path = "/cri/exec/123456abcdef"
query = "cmd=echo+foo"
)
resp, err := http.Get(fw.testHTTPServer.URL + path + "?" + query)
require.NoError(t, err)
assert.Equal(t, http.StatusOK, resp.StatusCode)
assert.Equal(t, "GET", fw.criHandler.RequestReceived.Method)
assert.Equal(t, path, fw.criHandler.RequestReceived.URL.Path)
assert.Equal(t, query, fw.criHandler.RequestReceived.URL.RawQuery)
}
func TestMetricBuckets(t *testing.T) { func TestMetricBuckets(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
url string url string
@ -1492,8 +1444,6 @@ func TestMetricBuckets(t *testing.T) {
"attach with uid": {url: "/attach/podNamespace/podID/uid/containerName", bucket: "attach"}, "attach with uid": {url: "/attach/podNamespace/podID/uid/containerName", bucket: "attach"},
"configz": {url: "/configz", bucket: "configz"}, "configz": {url: "/configz", bucket: "configz"},
"containerLogs": {url: "/containerLogs/podNamespace/podID/containerName", bucket: "containerLogs"}, "containerLogs": {url: "/containerLogs/podNamespace/podID/containerName", bucket: "containerLogs"},
"cri": {url: "/cri/", bucket: "cri"},
"cri with sub": {url: "/cri/foo", bucket: "cri"},
"debug v flags": {url: "/debug/flags/v", bucket: "debug"}, "debug v flags": {url: "/debug/flags/v", bucket: "debug"},
"pprof with sub": {url: "/debug/pprof/subpath", bucket: "debug"}, "pprof with sub": {url: "/debug/pprof/subpath", bucket: "debug"},
"exec": {url: "/exec/podNamespace/podID/containerName", bucket: "exec"}, "exec": {url: "/exec/podNamespace/podID/containerName", bucket: "exec"},
@ -1556,7 +1506,7 @@ func TestMetricMethodBuckets(t *testing.T) {
func TestDebuggingDisabledHandlers(t *testing.T) { func TestDebuggingDisabledHandlers(t *testing.T) {
// for backward compatibility even if enablesystemLogHandler is set but not enableDebuggingHandler then /logs // for backward compatibility even if enablesystemLogHandler is set but not enableDebuggingHandler then /logs
//shouldn't be served. //shouldn't be served.
fw := newServerTestWithDebuggingHandlers(false, true, false, nil) fw := newServerTestWithDebuggingHandlers(false, true, nil)
defer fw.testHTTPServer.Close() defer fw.testHTTPServer.Close()
paths := []string{ paths := []string{
@ -1600,7 +1550,7 @@ func TestDebuggingDisabledHandlers(t *testing.T) {
} }
func TestDisablingSystemLogHandler(t *testing.T) { func TestDisablingSystemLogHandler(t *testing.T) {
fw := newServerTestWithDebuggingHandlers(true, false, false, nil) fw := newServerTestWithDebuggingHandlers(true, false, nil)
defer fw.testHTTPServer.Close() defer fw.testHTTPServer.Close()
// verify logs endpoint is disabled // verify logs endpoint is disabled

4
pkg/kubelet/server/server_websocket_test.go
View File

@ -66,7 +66,7 @@ func TestServeWSPortForward(t *testing.T) {
ss, err := newTestStreamingServer(0) ss, err := newTestStreamingServer(0)
require.NoError(t, err) require.NoError(t, err)
defer ss.testHTTPServer.Close() defer ss.testHTTPServer.Close()
fw := newServerTestWithDebug(true, false, ss) fw := newServerTestWithDebug(true, ss)
defer fw.testHTTPServer.Close() defer fw.testHTTPServer.Close()
portForwardFuncDone := make(chan struct{}) portForwardFuncDone := make(chan struct{})
@ -158,7 +158,7 @@ func TestServeWSMultiplePortForward(t *testing.T) {
ss, err := newTestStreamingServer(0) ss, err := newTestStreamingServer(0)
require.NoError(t, err) require.NoError(t, err)
defer ss.testHTTPServer.Close() defer ss.testHTTPServer.Close()
fw := newServerTestWithDebug(true, false, ss) fw := newServerTestWithDebug(true, ss)
defer fw.testHTTPServer.Close() defer fw.testHTTPServer.Close()
portForwardWG := sync.WaitGroup{} portForwardWG := sync.WaitGroup{}