userextras headers lost in exchanger.ProxyConnect

clusternet / clusternet

[CNCF Sandbox Project] Managing your Kubernetes clusters (including public, private, edge, etc.) as easily as visiting the Internet

https://clusternet.io

Apache License 2.0

1.36k stars 198 forks source link

userextras headers lost in exchanger.ProxyConnect #423

Closed snstaberah closed 2 years ago

snstaberah commented 2 years ago

when i add extra header in http request to clusternet proxy（clusterrole rule is already added before），such as

$ curl -k -XGET  -H "Accept: application/json" \
  -H "Impersonate-User: clusternet" \
  -H "Authorization: ${PARENTCLUSTERAUTH}" \
  -H "Impersonate-Extra-**MY-EXTRA-HEADER**: xxxxxx" \

i found that the exchanger can not receive MY-EXTRA-HEADER from the httprequest in exchanger ProxyConnect func；

but if i add a prefix “clusternet” before my header，the httprequest in exchanger ProxyConnect func can receive it and works well；

$ curl -k -XGET  -H "Accept: application/json" \
  -H "Impersonate-User: clusternet" \
  -H "Authorization: ${PARENTCLUSTERAUTH}" \
  -H "Impersonate-Extra-**clusternet-MY-EXTRA-HEADER**: xxxxxx" \

I wonder why only http header with “clusternet” prefix can pass to the exchanger.ProxyConnect？ could somebody please explain the reason to me？

dixudx commented 2 years ago

i found that the exchanger can not receive MY-EXTRA-HEADER from the httprequest in exchanger ProxyConnect func；

Please try clusternet-MY-EXTRA-HEADER.

snstaberah commented 2 years ago

i found that the exchanger can not receive MY-EXTRA-HEADER from the httprequest in exchanger ProxyConnect func；

Please try clusternet-MY-EXTRA-HEADER.

i just can‘t find where is the filter for clusternet header，is this setted in clusternet-hub ？ or apiserver impersonate mechanism originally works like this？

dixudx commented 2 years ago

i just can‘t find where is the filter for clusternet header，is this setted in clusternet-hub ？ or apiserver impersonate mechanism originally works like this？

Yes. We did a trick to keep clusternet headers. By default all the headers will be deleted from the http.Request objects after authentication.

snstaberah commented 2 years ago

By default all the headers will be deleted from the http.Request objects after authentication.

but in my test，header set in http.request without Impersonate-Extra- can pass to the exchanger.ProxyConnect，only headers setted as impersonate-extra will be filter by the clusternet prefix；

I have readed kubernetes-1.23.8\staging\src\k8s.io\apiserver\pkg\endpoints\filters\impersonation.go func WithImpersonation（），it changes header from impersonate-extra to user-extra，but it seems no special delete for user-extra subresource；

I think it maybe happened in conversion from user-extra to x-remote-extra；is it right？ can you give me some hint for the clusternet trick？：）

snstaberah commented 2 years ago

the requirement is，i need to access not only apiserver，but also some application in clusternet managed kubernetes，without direct access network，so the request need to pass through clusternet-hub； some application need to set their own header in the request，so I'm trying to find a general method to let user set those headers，for example jenkins；

I think this is a common requirement，if we can find a good way，maybe I can make a pr to enhance the clusternet ability to access apps in agent managed cluster；

dixudx commented 2 years ago

the requirement is，i need to access not only apiserver，but also some application in clusternet managed kubernetes，without direct access network，so the request need to pass through clusternet-hub； some application need to set their own header in the request，so I'm trying to find a general method to let user set those headers，for example jenkins；

You can add clusternet as prefixes for all extra headers. Then you can pass down all those headers to child clusters and applications running out there.

I have readed kubernetes-1.23.8\staging\src\k8s.io\apiserver\pkg\endpoints\filters\impersonation.go func WithImpersonation（）

Actually this has nothing to do with impersonation.

snstaberah commented 2 years ago

You can add clusternet as prefixes for all extra headers. Then you can pass down all those headers to child clusters and applications running out there

but this will mix clusternet system header logic with app header logic， I think add another header perfix for custom headers and handle those in a special func will be better， for example “application” or “custom ”； so the question actually is how to add a customize prefix？

Actually this has nothing to do with impersonation.

so this trick is about apiserver authentication to aggregate-apiserver？

dixudx commented 2 years ago

but this will mix clusternet system header logic with app header logic， I think add another header perfix for custom headers and handle those in a special func will be better， for example “application” or “custom ”； so the question actually is how to add a customize prefix？

Currently clusternet only cares about a few known headers, such as clusternet-token. For your case, I think you can add clusternet-app- or clusternet-extra- as prefixes. That wont' be a problem.

so this trick is about apiserver authentication to aggregate-apiserver？

Yes, you're right. By default, after authentication, the extra headers are removed.

snstaberah commented 2 years ago

I found the trick here ：）

this confused me several days，so clusternet need a customized apiserver code to build it's own apiserver；

thanks for the hint