Closed snstaberah closed 2 years ago
i found that the exchanger can not receive MY-EXTRA-HEADER from the httprequest in exchanger ProxyConnect func;
Please try clusternet-MY-EXTRA-HEADER
.
i found that the exchanger can not receive MY-EXTRA-HEADER from the httprequest in exchanger ProxyConnect func;
Please try
clusternet-MY-EXTRA-HEADER
.
i just can‘t find where is the filter for clusternet header,is this setted in clusternet-hub ? or apiserver impersonate mechanism originally works like this?
i just can‘t find where is the filter for clusternet header,is this setted in clusternet-hub ? or apiserver impersonate mechanism originally works like this?
Yes. We did a trick to keep clusternet headers. By default all the headers will be deleted from the http.Request
objects after authentication.
By default all the headers will be deleted from the
http.Request
objects after authentication.
but in my test,header set in http.request without Impersonate-Extra- can pass to the exchanger.ProxyConnect,only headers setted as impersonate-extra will be filter by the clusternet prefix;
I have readed kubernetes-1.23.8\staging\src\k8s.io\apiserver\pkg\endpoints\filters\impersonation.go func WithImpersonation(),it changes header from impersonate-extra to user-extra,but it seems no special delete for user-extra subresource;
I think it maybe happened in conversion from user-extra to x-remote-extra;is it right? can you give me some hint for the clusternet trick? :)
the requirement is,i need to access not only apiserver,but also some application in clusternet managed kubernetes,without direct access network,so the request need to pass through clusternet-hub; some application need to set their own header in the request,so I'm trying to find a general method to let user set those headers,for example jenkins;
I think this is a common requirement,if we can find a good way,maybe I can make a pr to enhance the clusternet ability to access apps in agent managed cluster;
the requirement is,i need to access not only apiserver,but also some application in clusternet managed kubernetes,without direct access network,so the request need to pass through clusternet-hub; some application need to set their own header in the request,so I'm trying to find a general method to let user set those headers,for example jenkins;
You can add clusternet
as prefixes for all extra headers. Then you can pass down all those headers to child clusters and applications running out there.
I have readed kubernetes-1.23.8\staging\src\k8s.io\apiserver\pkg\endpoints\filters\impersonation.go func WithImpersonation()
Actually this has nothing to do with impersonation
.
You can add
clusternet
as prefixes for all extra headers. Then you can pass down all those headers to child clusters and applications running out there
but this will mix clusternet system header logic with app header logic, I think add another header perfix for custom headers and handle those in a special func will be better, for example “application” or “custom ”; so the question actually is how to add a customize prefix?
Actually this has nothing to do with impersonation.
so this trick is about apiserver authentication to aggregate-apiserver?
but this will mix clusternet system header logic with app header logic, I think add another header perfix for custom headers and handle those in a special func will be better, for example “application” or “custom ”; so the question actually is how to add a customize prefix?
Currently clusternet only cares about a few known headers, such as clusternet-token
. For your case, I think you can add clusternet-app-
or clusternet-extra-
as prefixes. That wont' be a problem.
so this trick is about apiserver authentication to aggregate-apiserver?
Yes, you're right. By default, after authentication, the extra headers are removed.
I found the trick here :)
this confused me several days,so clusternet need a customized apiserver code to build it's own apiserver;
thanks for the hint
when i add extra header in http request to clusternet proxy(clusterrole rule is already added before),such as
i found that the exchanger can not receive MY-EXTRA-HEADER from the httprequest in exchanger ProxyConnect func;
but if i add a prefix “clusternet” before my header,the httprequest in exchanger ProxyConnect func can receive it and works well;
I wonder why only http header with “clusternet” prefix can pass to the exchanger.ProxyConnect? could somebody please explain the reason to me?