kubernetes-client
WebSocket connections make use of environment vars for PROXY
What happened (please include outputs or screenshots): The regular k8s client call does not make use of the environment vars for proxies, instead expecting you to pass it explicitly to the config. However, the websocket client will make use of those, which can be confusing.
What you expected to happen: The regular and websocket clients should behave the same.
How to reproduce it (as minimally and precisely as possible):
# Get the example pod_exec script
wget https://raw.githubusercontent.com/kubernetes-client/python/refs/heads/release-31.0/examples/pod_exec.py
# Get your kubeconfig file
cp $KUBECONFIG .
# Create a requirements file
echo "kubernetes==31.0.0" > reqirements.txt
# Fire up a python 3.12 container
podman run -it --rm --name python -v="$(pwd):/app" docker.io/python:3.12.8-bookworm bash
# in the container, copy the kube-config
mkdir /root/.kube; cp /app/config /root/.kube/
# in the container, install the requirements
pip install -r /app/reqirements.txt
# Set a invalid proxy env var
export HTTPS_PROXY=https://example.com
# Run the example script
python3 /app/pod_exec.py
The script is able to ignore the HTTPS_PROXY and check for the existence of the busybox pod, then create it. But the part that uses a websocket/stream to do the exec fails as it can't connect to the dummy proxy.
Pod busybox-test does not exist. Creating it...
Done.
Traceback (most recent call last):
File "/usr/local/lib/python3.12/site-packages/kubernetes/stream/ws_client.py", line 528, in websocket_call
client = WSClient(configuration, url, headers, capture_all, binary=binary)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/kubernetes/stream/ws_client.py", line 68, in __init__
self.sock = create_websocket(configuration, url, headers)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/kubernetes/stream/ws_client.py", line 494, in create_websocket
websocket.connect(url, **connect_opt)
File "/usr/local/lib/python3.12/site-packages/websocket/_core.py", line 256, in connect
self.sock, addrs = connect(
^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/websocket/_http.py", line 147, in connect
sock = _tunnel(sock, hostname, port_from_url, auth)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/websocket/_http.py", line 339, in _tunnel
raise WebSocketProxyException(f"failed CONNECT via proxy status: {status}")
websocket._exceptions.WebSocketProxyException: failed CONNECT via proxy status: 400
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/app/pod_exec.py", line 134, in <module>
main()
File "/app/pod_exec.py", line 130, in main
exec_commands(core_v1)
File "/app/pod_exec.py", line 76, in exec_commands
resp = stream(api_instance.connect_get_namespaced_pod_exec,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/kubernetes/stream/stream.py", line 36, in _websocket_request
out = api_method(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/kubernetes/client/api/core_v1_api.py", line 994, in connect_get_namespaced_pod_exec
return self.connect_get_namespaced_pod_exec_with_http_info(name, namespace, **kwargs) # noqa: E501
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/kubernetes/client/api/core_v1_api.py", line 1101, in connect_get_namespaced_pod_exec_with_http_info
return self.api_client.call_api(
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/kubernetes/client/api_client.py", line 348, in call_api
return self.__call_api(resource_path, method,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/kubernetes/client/api_client.py", line 180, in __call_api
response_data = self.request(
^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/site-packages/kubernetes/stream/ws_client.py", line 538, in websocket_call
raise ApiException(status=0, reason=str(e))
kubernetes.client.exceptions.ApiException: (0)
Reason: failed CONNECT via proxy status: 400
Anything else we need to know?:
Environment:
- Kubernetes version (
kubectl version): v1.27.16+03a907c - OS (e.g., MacOS 10.13.6): Debian 12
- Python version (
python --version) 3.12.8 - Python client version (
pip list | grep kubernetes) 31.0.0
Additionally, it seems to parse NO_PROXY differently than curl.
In curl https://curl.se/libcurl/c/CURLOPT_NOPROXY.html you can match a subdomain with just the base domain. ie: putting example.com in the NO_PROXY would match api.example.com. Whereas the k8s websocket would need a prefixed dot to match. ie: .example.com with a leading dot to match api.example.com.
@yliaog: This request has been marked as needing help from a contributor.
Guidelines
Please ensure that the issue body includes answers to the following questions:
- Why are we solving this issue?
- To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
- Does this issue have zero to low barrier of entry?
- How can the assignee reach out to you for help?
For more details on the requirements of such an issue, please see here and ensure that they are met.
If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.
In response to this:
/help
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
