fix authorization header stripped by kube-apiserver (#2145)

68029de6 · zryfish · GitHub · a86f2a10 · 68029de6 · 68029de6
3 changed file
--- a/pkg/apiserver/dispatch/dispatch.go
+++ b/pkg/apiserver/dispatch/dispatch.go
@@ -130,14 +130,16 @@ func (c *clusterDispatch) Dispatch(w http.ResponseWriter, req *http.Request, han
 	u := *req.URL
 	u.Path = strings.Replace(u.Path, fmt.Sprintf("/clusters/%s", info.Cluster), "", 1)

+	// change request host to actually cluster hosts
 	if info.IsKubernetesRequest {
 		u.Host = innCluster.kubernetesURL.Host
 		u.Scheme = innCluster.kubernetesURL.Scheme
 	} else {
 		u.Host = innCluster.kubesphereURL.Host
+		u.Scheme = innCluster.kubesphereURL.Scheme

 		// if cluster connection is direct and kubesphere apiserver endpoint is empty
-		// we use kube-apiserver proxy
+		// we use kube-apiserver proxy way
 		if cluster.Spec.Connection.Type == clusterv1alpha1.ConnectionTypeDirect &&
 			len(cluster.Spec.Connection.KubeSphereAPIEndpoint) == 0 {

@@ -145,6 +147,14 @@ func (c *clusterDispatch) Dispatch(w http.ResponseWriter, req *http.Request, han
 			u.Host = innCluster.kubernetesURL.Host
 			u.Path = fmt.Sprintf(proxyURLFormat, u.Path)
 			transport = innCluster.transport
+
+			// The reason we need this is kube-apiserver doesn't behave like a standard proxy, it will strip
+			// authorization header of proxy requests. Use custom header to avoid stripping by kube-apiserver.
+			// https://github.com/kubernetes/kubernetes/issues/38775#issuecomment-277915961
+			// We first copy req.Header['Authorization'] to req.Header['X-KubeSphere-Authorization'] before sending
+			// designated cluster kube-apiserver, then copy req.Header['X-KubeSphere-Authorization'] to
+			// req.Header['Authorization'] before authentication.
+			req.Header.Set("X-KubeSphere-Authorization", req.Header.Get("Authorization"))
 		}
 	}


--- a/pkg/apiserver/dispatch/dispatch_test.go
+++ b/pkg/apiserver/dispatch/dispatch_test.go
+package dispatch
--- a/pkg/apiserver/filters/requestinfo.go
+++ b/pkg/apiserver/filters/requestinfo.go
@@ -32,6 +32,19 @@ func WithRequestInfo(handler http.Handler, resolver request.RequestInfoResolver)
 			return
 		}

+		// KubeSphere supports kube-apiserver proxy requests in multicluster mode. But kube-apiserver
+		// stripped all authorization headers. Use custom header to carry token to avoid losing authentication token.
+		// We may need a better way. See issue below.
+		// https://github.com/kubernetes/kubernetes/issues/38775#issuecomment-277915961
+		authorization := req.Header.Get("Authorization")
+		if len(authorization) == 0 {
+			xAuthorization := req.Header.Get("X-KubeSphere-Authorization")
+			if len(xAuthorization) != 0 {
+				req.Header.Set("Authorization", xAuthorization)
+				req.Header.Del("X-KubeSphere-Authorization")
+			}
+		}
+
 		req = req.WithContext(request.WithRequestInfo(ctx, info))
 		handler.ServeHTTP(w, req)
 	})