terraform-provider-kubernetes icon indicating copy to clipboard operation
terraform-provider-kubernetes copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Windows Control Flow Guard is blocking all the communications from the provider

Open u362eboi opened this issue 2 years ago • 3 comments

Terraform Version, Provider Version and Kubernetes Version

Terraform version: 1.4.2 Kubernetes provider version: 2.18.1 Kubernetes version: 1.25

Affected Resource(s)

Any kubernetes_

Example:

resource "kubernetes_namespace_v1" "demo" {
    metadata {
      name = "demo"
    }
}

Debug Output

  [ERROR] plugin.(*GRPCProvider).ReadResource: error="rpc error: code = Unavailable desc = error reading from server: read tcp 127.0.0.1:49290->127.0.0.1:10004: wsarecv: An existing connection was forcibly closed by the remote host."
  
  │ The plugin encountered an error, and failed to respond to the
  │ plugin.(*GRPCProvider).ReadResource call. The plugin logs may contain more
  │ details.

Steps to Reproduce

  1. In Windows Security --> Exploit Protection --> Control Flow Guard (CFG) Set to On by default or

  2. In Windows Security --> Exploit Protection --> Program Settings --> Add program to customize --> Add by program name

  3. Program name terraform-provider-kubernetes_v2.18.1_x5.exe

  4. Under Control flow guard (CFG), Check Override system settings and set to On

  5. terraform apply

Expected Behavior

Terraform can refresh its state/create resources

Actual Behavior

The network communication of the provider get block by the Control Flow Guard without any warnings. The terraform apply fail with a *GRPCProvider error on any resource previously deploy or fail to create any new resource.

Important Factoids

The control flow guard is enable system wide trough GPO by the security admins and can't be disable. It also affect the executable when ran under WSL. My current work around is by adding an application specific override of the settings. It'll have to be redone every time a new version of the executable is release.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

u362eboi avatar Mar 20 '23 21:03 u362eboi

Thanks for opening this @u362eboi. Does this only happen for the Kubernetes provider, or does it affect other provider binaries too?

jrhouston avatar Mar 27 '23 17:03 jrhouston

Thanks for opening this @u362eboi. Does this only happen for the Kubernetes provider, or does it affect other provider binaries too?

I haven't see this behavior with the AWS and GCP providers. Those are the only 3 providers I use so far.

u362eboi avatar Apr 28 '23 15:04 u362eboi

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!

github-actions[bot] avatar Apr 28 '24 00:04 github-actions[bot]