Improve the accessibility of k8s.io domains in China

[idealhack]

This came up at Contributor Summit Shanghai in June, we then discussed it at the retro meeting and the sig-contribex APAC coordinator meeting.

Notes from the retro meeting:

While we use git.k8s.io and slack.k8s.io a lot across the community, they are not accessible in China. People need VPN to contribute anyway, but this confuses newcomers. Also, lots of VPN not worked in June. [idealhack]

k8s.io was an unexpected problem. [jberkus] You can't make it work even on some VPNs.

We were not able to sort the local VPN gateway issues for this event [jberkus]

So the important domains for contributors are git.k8s.io and slack.k8s.io, while others may important to users.

Can you help with this? There're IPs of Google Cloud not blocked, or maybe we could use CDN to improve the accessibility globally.

/sig contributor-experience /priority important-longterm

cc @nikhita @jberkus

[nikhita]

cc @cblecker @spiffxp @dims

[tao12345666333]

Maybe a reference case: https://github.com/helm/helm/issues/5663

[thockin]

Is the problem that IP blocks that exist in Google Cloud's customer space are blocked? Or is it that the things we redirect to are blocked?

[idealhack]

Take git.k8s.io which redirects to github.com/kubernetes as an example, it's Google Cloud was blocked, not GitHub.

You can use https://www.17ce.com/site?lang=en_us to test what it's like when accessing a site in China.

[thockin]

Unfortunately,I can't read anything in that site :)

If all of Google Cloud IPs are blocked, we will have to run something somewhere that isn't. I don't think I see any other choice?

On Wed, Oct 23, 2019 at 9:53 PM Yang Li notifications@github.com wrote:

Take git.k8s.io which redirects to github.com/kubernetes as an example, it's Google Cloud was blocked, not GitHub.

You can use https://www.17ce.com/site?lang=en_us to test what it's like when accessing a site in China.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kubernetes/k8s.io/issues/325?email_source=notifications&email_token=ABKWAVGSP6WXKW7MAWGYKOTQQES6HA5CNFSM4IIOPCW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECDWHKA#issuecomment-545743784, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKWAVCO4K3VX5GZ4NBLXYLQQES6HANCNFSM4IIOPCWQ .

[idealhack]

Hmm, sorry, I was thinking maybe the English option will help. The check is done by requesting (GET, ping, traceroute, etc.) a host from different places in China, and you can see a map with availability after it's done.

As said in the issue description, there're Google Cloud IPs not blocked, but I'm not quite sure about the details, the percentages may be different between regions. I understand this may be hard or annoying to find and change.

Run something somewhere else is a choice but it also means more work :(

[thockin]

If Google Cloud IPs are not blocked, what's going on?

If you run curl -i git.k8s.io what do you get?

On Thu, Oct 24, 2019 at 6:33 PM Yang Li notifications@github.com wrote:

Hmm, sorry, I was thinking maybe the English option will help. The check is done by requesting (GET, ping, traceroute, etc.) a host from different places in China, and you can see a map with availability after it's done.

As said in the issue description, there're Google Cloud IPs not blocked, but I'm not quite sure about the details, the percentages may be different between regions. I understand this may be hard or annoying to find and change.

Run something somewhere else is a choice but it also means more work :(

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kubernetes/k8s.io/issues/325?email_source=notifications&email_token=ABKWAVANO4AFHKNE5SUIST3QQJEH3A5CNFSM4IIOPCW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECG425A#issuecomment-546164084, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKWAVD7ELX4LG4Y6YYAVHDQQJEH3ANCNFSM4IIOPCWQ .

[idealhack]

To be clear, what I meant was that not all Google Cloud IPs nor sites running on Google Cloud are blocked (e.g. one of services I maintain in Asia regions on GKE is not), but apparently git.k8s.io are one of which are blocked, also others like slack.k8s.io. This is somewhat common for public cloud providers.

I’m currently not in China but I guess the curl command will return timed out.

[tao12345666333]

I will give the results later. Not at the computer right now.

[thockin]

With no discernable pattern or logic to the blocks, I don't know what else to do, short of a mirror that runs elsewhere...

On Thu, Oct 24, 2019 at 10:11 PM Yang Li notifications@github.com wrote:

To be clear, what I meant was that not all Google Cloud IPs nor sites running on Google Cloud are blocked (e.g. one of services I maintain in Asia regions on GKE is not), but apparently git.k8s.io are one of which are blocked, also others like slack.k8s.io. This is somewhat common for public cloud providers.

I’m currently not in China but I guess the curl command will return timed out.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kubernetes/k8s.io/issues/325?email_source=notifications&email_token=ABKWAVASFFWEAGNF4S4W7KTQQJ5WRA5CNFSM4IIOPCW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECHGM5Y#issuecomment-546203255, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKWAVHMHO3MHK2FU2UYJZLQQJ5WRANCNFSM4IIOPCWQ .

[tao12345666333]

If you run curl -i git.k8s.io what do you get?

# in China
$ curl -i git.k8s.io
curl: (7) Failed connect to git.k8s.io:80; Connection timed out

# normal or expected result
(MoeLove) ➜  ~ curl -i git.k8s.io
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.10.3
Date: Fri, 25 Oct 2019 06:07:30 GMT
Content-Type: text/html
Content-Length: 161
Location: https://github.com/kubernetes/
Via: 1.1 google

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>

Some other information:

# in China
$ dig git.k8s.io 

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> git.k8s.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35295
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;git.k8s.io.                    IN      A

;; ANSWER SECTION:
git.k8s.io.             300     IN      CNAME   redirect.k8s.io.
redirect.k8s.io.        300     IN      A       35.201.71.162

;; Query time: 111 msec
;; SERVER: 223.5.5.5#53(223.5.5.5)
;; WHEN: 五 10月 25 14:11:24 CST 2019
;; MSG SIZE  rcvd: 67

$ ping -t 20 -c 1 git.k8s.io
PING redirect.k8s.io (35.201.71.162) 56(84) bytes of data.

--- redirect.k8s.io ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

[tao12345666333]

Maybe you can visit this site to show the detail. http://ping.pe/git.k8s.io

[thockin]

So you can resolve it our redirector but not actually get there.

As we're moving things to community-owned space, this redirector is one of the targets. When we move it, we can try first setting up a branch in GCP asia, which should rule out some issues. If that still doesn't fly, we'll have to talk about in-country mirrors or something.

We're close to being able to do this - can it sit a little longer?

On Thu, Oct 24, 2019 at 11:22 PM Jintao Zhang notifications@github.com wrote:

Maybe you can visit this site to show the detail. http://ping.pe/git.k8s.io

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kubernetes/k8s.io/issues/325?email_source=notifications&email_token=ABKWAVGIGPQ5AXZRWSZHBTDQQKGDJA5CNFSM4IIOPCW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOECHKH6Q#issuecomment-546219002, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKWAVCU446EXE3K4UO6UY3QQKGDJANCNFSM4IIOPCWQ .

[tao12345666333]

Thanks. We can try it;

In fact, according to our experience, sometimes IP bans rely on whitelist mode, and sometimes rely on blacklist mode. And there is no clear announcement rule. :upside_down_face:

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

[stp-ip]

/remove-lifecycle stale

[bartsmykla]

Hi everyone. :-)

It looks like git.k8s.io is working (at least if I'm interpreting links you provided) now but slack.k8s.io is not. I'll try to read if there is any easy way we can help with this.

Do anyone have more knowledge than few months back about how we can improve it?

Bart

[bartsmykla]

I see slack.k8s.io is still deployed on the old infrastructure and the good thing is the IP (34.107.204.206) which our redirector is using (which is hosted on the new infra) and which actually handles requests to git.k8s.io ant others is accessible. I'm gonna try to make sure when we'll move slack.k8s.io to the new clusters the IP will be accessible in China too.

[bartsmykla]

I did some research and checked all A records from https://github.com/kubernetes/k8s.io/blob/master/dns/zone-configs/k8s.io._0_base.yaml using website http://ping.pe and here are the results:

• slack.k8s.io is not accessible at any of Chinese locations
• gubernator.k8s.io is not accessible at China, Beijing | Tencent
• testgrid.k8s.io is not accessible at China, Beijing | Tencent

During testing velodrome.k8s.io was not accessible anywhere so I'm not sure what is the status of it (cc. @spiffxp)

Question also is if for slack.k8s.io it's not related to the subdomain name not IP (it would be good to check).

Bart

[spiffxp]

velodrome.k8s.io is down for the foreseeable future (ref: https://github.com/kubernetes/test-infra/issues/16836)

[bartsmykla]

@spiffxp got it. Thank you for update

[idealhack]

@bartsmykla Hi Bart, thanks for your research and update!

As far as I know, the block method of the Great Firewall is targeting on IPs in this case. It's just you're lucky or not to get an IP which not in the blocking rules (since a lot of Google's IPs are on the list). So hopefully this can be resolved when we moved all things from the old GCP project to the new one.

What do we do if it's still on the blocking list after we move other stuff to the new infra? I wonder if we have other methods to address this.

[bartsmykla]

@idealhack the good thing is we can try to get other IP and if it won't work we can try use the fact the redirect.k8s.io IP is currently not blocked so I'm sure we can figure something out.

[thockin]

The only real answer is to run mirrors on other non-blocked services, for which we will require owners to drive the work and administer the resulting infra. And maybe credits, depending on the bill.

On Tue, Mar 31, 2020 at 4:26 AM Bart Smykla notifications@github.com wrote:

@idealhack https://github.com/idealhack the good thing is we can try to get other IP and if it won't work we can try use the fact the redirect.k8s.io IP is currently not blocked so I'm sure we can figure something out.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kubernetes/k8s.io/issues/325#issuecomment-606568307, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABKWAVABSRTXGBIB3EMS473RKHHMVANCNFSM4IIOPCWQ .

[bartsmykla]

@idealhack as we are already moving slack-infra to the new infrastructure and are at the point where we deployed everything under https://slack-staging.k8s.io. The IP of slack-staging.k8s.io (34.107.195.71) will be the IP address of slack.k8s.io/slack.kubernetes.io soon (when we'll confirm everything works as expected).

I did some testing using ping.pe (http://ping.pe/slack-staging.k8s.io) and it looks like the new IP address is not being blocked by the Great Firewall.

[bartsmykla]

It looks like gubernator.k8s.io and testgrid.k8s.io are now unaccessible though.

[stp-ip]

We probably need to run a proxy server on non google IPs or better even within China. Happy to take a look, but not sure on timing.

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle rotten

[idealhack]

/remove-lifecycle rotten

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

[idealhack]

/lifecycle frozen

[linghengqian]

Hi, I was wondering if there is a solution for this other than forward proxying now? I noticed this issue hasn't been closed yet.