kubernetes
kubectl proxy when you request an api that requires http Authorization header authentication, it will not process the response correctly
kube-apiServer handles authentication using Authorization headers,whether there is a conflict with my service's use of Authorization headers to handle authentication? The following is the request message: GET /api/v1/namespaces/default/services/ddr-api:http-port/proxy/api/v1/group HTTP/1.1
Host: localhost:8001 Accept-Encoding: deflate, gzip, br, zstd Accept: application/json, text/plain, / Accept-Language: zh-CN,zh-HK;q=0.9,zh;q=0.8,en;q=0.7,en-US;q=0.6 Authorization: Basic YWRtaW46YWRtaW4= Cache-Control: no-cache Connection: keep-alive Content-Type: application/json Cookie: curpage=1; hasplmlang=int; Synyi.AuditLog.TraceId=4b4a77825a214192b2e076c20261ab7e DNT: 1 Pragma: no-cache Referer: http://localhost:8001/api/v1/namespaces/default/services/ddr-api:http-port/proxy/logs Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows"
- Mark bundle as not supporting multiuse < HTTP/1.1 401 Unauthorized < Cache-Control: no-cache, private < Content-Length: 21 < Content-Type: text/plain; charset=utf-8 < Date: Tue, 10 Jan 2023 10:44:22 GMT < Server: nginx < { [21 bytes data] 100 21 100 21 0 0 564 0 --:--:-- --:--:-- --:--:-- 677HTTP/1.1 401 Unauthorized Cache-Control: no-cache, private Content-Length: 21 Content-Type: text/plain; charset=utf-8 Date: Tue, 10 Jan 2023 10:44:22 GMT Server: nginx
@lingbohome: This issue is currently awaiting triage.
SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the triage/accepted label.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
Can you provide the service that this is being caused by so we can investigate this further? /remove lifecycle/rotten
Can you provide the service that this is being caused by so we can investigate this further? /remove lifecycle/rotten @mpuckett159 So, the situation is that I am using kubectl proxy to proxy access a service within the cluster. This service requires authentication, and the authentication credentials are passed through the HTTP Authorization header. However, it seems that the credentials specified in the Authorization header are not correctly forwarded to the service. I suspect that this might be related to the authentication mechanism between kubectl proxy and the kube-apiserver, which prevents the user's authentication credentials specified in the Authorization header from being properly passed along to the service.
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle rotten - Close this issue with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
From what I understand at present, in the service proxy API of kube-apiserver, the Authorization header is not forwarded to the target service by default. This design decision is made for security reasons. Is that so?
// Does the service proxy API perform similar operations before forwarding requests to the target service?
// Remove some sensitive headers
newReq.Header.Del("Authorization")
If I understand this correctly, this issue can be closed.