Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
水淹萌龙
kubesphere
提交
68029de6
K
kubesphere
项目概览
水淹萌龙
/
kubesphere
与 Fork 源项目一致
Fork自
KubeSphere / kubesphere
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
K
kubesphere
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
未验证
提交
68029de6
编写于
6月 02, 2020
作者:
Z
zryfish
提交者:
GitHub
6月 02, 2020
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
fix authorization header stripped by kube-apiserver (#2145)
上级
a86f2a10
变更
3
显示空白变更内容
内联
并排
Showing
3 changed file
with
25 addition
and
1 deletion
+25
-1
pkg/apiserver/dispatch/dispatch.go
pkg/apiserver/dispatch/dispatch.go
+11
-1
pkg/apiserver/dispatch/dispatch_test.go
pkg/apiserver/dispatch/dispatch_test.go
+1
-0
pkg/apiserver/filters/requestinfo.go
pkg/apiserver/filters/requestinfo.go
+13
-0
未找到文件。
pkg/apiserver/dispatch/dispatch.go
浏览文件 @
68029de6
...
...
@@ -130,14 +130,16 @@ func (c *clusterDispatch) Dispatch(w http.ResponseWriter, req *http.Request, han
u
:=
*
req
.
URL
u
.
Path
=
strings
.
Replace
(
u
.
Path
,
fmt
.
Sprintf
(
"/clusters/%s"
,
info
.
Cluster
),
""
,
1
)
// change request host to actually cluster hosts
if
info
.
IsKubernetesRequest
{
u
.
Host
=
innCluster
.
kubernetesURL
.
Host
u
.
Scheme
=
innCluster
.
kubernetesURL
.
Scheme
}
else
{
u
.
Host
=
innCluster
.
kubesphereURL
.
Host
u
.
Scheme
=
innCluster
.
kubesphereURL
.
Scheme
// if cluster connection is direct and kubesphere apiserver endpoint is empty
// we use kube-apiserver proxy
// we use kube-apiserver proxy
way
if
cluster
.
Spec
.
Connection
.
Type
==
clusterv1alpha1
.
ConnectionTypeDirect
&&
len
(
cluster
.
Spec
.
Connection
.
KubeSphereAPIEndpoint
)
==
0
{
...
...
@@ -145,6 +147,14 @@ func (c *clusterDispatch) Dispatch(w http.ResponseWriter, req *http.Request, han
u
.
Host
=
innCluster
.
kubernetesURL
.
Host
u
.
Path
=
fmt
.
Sprintf
(
proxyURLFormat
,
u
.
Path
)
transport
=
innCluster
.
transport
// The reason we need this is kube-apiserver doesn't behave like a standard proxy, it will strip
// authorization header of proxy requests. Use custom header to avoid stripping by kube-apiserver.
// https://github.com/kubernetes/kubernetes/issues/38775#issuecomment-277915961
// We first copy req.Header['Authorization'] to req.Header['X-KubeSphere-Authorization'] before sending
// designated cluster kube-apiserver, then copy req.Header['X-KubeSphere-Authorization'] to
// req.Header['Authorization'] before authentication.
req
.
Header
.
Set
(
"X-KubeSphere-Authorization"
,
req
.
Header
.
Get
(
"Authorization"
))
}
}
...
...
pkg/apiserver/dispatch/dispatch_test.go
0 → 100644
浏览文件 @
68029de6
package
dispatch
pkg/apiserver/filters/requestinfo.go
浏览文件 @
68029de6
...
...
@@ -32,6 +32,19 @@ func WithRequestInfo(handler http.Handler, resolver request.RequestInfoResolver)
return
}
// KubeSphere supports kube-apiserver proxy requests in multicluster mode. But kube-apiserver
// stripped all authorization headers. Use custom header to carry token to avoid losing authentication token.
// We may need a better way. See issue below.
// https://github.com/kubernetes/kubernetes/issues/38775#issuecomment-277915961
authorization
:=
req
.
Header
.
Get
(
"Authorization"
)
if
len
(
authorization
)
==
0
{
xAuthorization
:=
req
.
Header
.
Get
(
"X-KubeSphere-Authorization"
)
if
len
(
xAuthorization
)
!=
0
{
req
.
Header
.
Set
(
"Authorization"
,
xAuthorization
)
req
.
Header
.
Del
(
"X-KubeSphere-Authorization"
)
}
}
req
=
req
.
WithContext
(
request
.
WithRequestInfo
(
ctx
,
info
))
handler
.
ServeHTTP
(
w
,
req
)
})
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录