Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

client: rustls is incompatible the env-based in-cluster config #1003

Closed
olix0r opened this issue Sep 9, 2022 · 2 comments · Fixed by #1184
Closed

client: rustls is incompatible the env-based in-cluster config #1003

olix0r opened this issue Sep 9, 2022 · 2 comments · Fixed by #1184
Labels
client http issues with the client rustls rustls-tls related

Comments

@olix0r
Copy link
Contributor

olix0r commented Sep 9, 2022

As described in #1000, in-cluster Kubernetes clients must honor the KUBERNETES_SERVICE_HOST environment variable and cannot rely on this being identical to kubernetes.default.svc. Unfortunately, this value is usually an IP address, and webpki doesn't support IP address validation by IP (briansmith/webpki#54 rustls/webpki#4). Therefore, rustls cannot reliably be used with the default in-cluster configuration.

Once these upstream issues are addressed, the client Config documentation should be updated to remove caveats about rustls compatibility and CI changes (in #1001) should be reverted to test rustls in CI.
@olix0r olix0r mentioned this issue Sep 9, 2022
Merged
@olix0r olix0r changed the title client: rustls is incompatible the default in-cluster config client: rustls is incompatible the env-based in-cluster config Sep 9, 2022
@clux clux added rustls rustls-tls related client http issues with the client labels Sep 9, 2022
@MikailBag
Copy link
Contributor

This may be related to #991.
I think that once that issue is done, kube-rs users may explicitly apply override tls-server-name = kubernetes.default.svc to the connection config, and verification will work in both in-cluster and external (because now server certificate will be validated against DNS name).

@MikailBag MikailBag mentioned this issue Oct 20, 2022
Closed
@clux clux mentioned this issue Nov 3, 2022
Closed
@clux
Copy link
Member

clux commented Dec 15, 2022
edited

As per 0.77.0, we now use @MikailBag 's idea of passing tls-server-name = kubernetes.default.svc by default for rustls and this should at least provide a better workaround for rustls.

@jpmcb jpmcb mentioned this issue Dec 22, 2022
Closed
flavio added a commit to flavio/kwctl that referenced this issue Mar 15, 2023
@flavio
fix: grant access to minikube/k3d
8f1d7b3 
kwctl is built using rustls enabled. Unfortunately rustls does not support
validating IP addresses yet (see kube-rs/kube#1003).

This commit introduces a workaround to address this limitation. This is
required to make sure users can run context aware policies against
minikube, k3d and other local development solution that deploy
kubernetes in this way.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
@flavio flavio mentioned this issue Mar 15, 2023
Merged
flavio added a commit to flavio/kwctl that referenced this issue Mar 15, 2023
@flavio
fix: grant access to minikube/k3d
f15e114 
kwctl is built using rustls enabled. Unfortunately rustls does not support
validating IP addresses yet (see kube-rs/kube#1003).

This commit introduces a workaround to address this limitation. This is
required to make sure users can run context aware policies against
minikube, k3d and other local development solution that deploy
kubernetes in this way.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
flavio added a commit to flavio/kwctl that referenced this issue Mar 15, 2023
@flavio
fix: grant access to minikube/k3d
2d951eb 
kwctl is built using rustls enabled. Unfortunately rustls does not support
validating IP addresses yet (see kube-rs/kube#1003).

This commit introduces a workaround to address this limitation. This is
required to make sure users can run context aware policies against
minikube, k3d and other local development solution that deploy
kubernetes in this way.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
flavio added a commit to flavio/kwctl that referenced this issue Mar 15, 2023
@flavio
fix: grant access to minikube/k3d
d8dc259 
kwctl is built using rustls enabled. Unfortunately rustls does not support
validating IP addresses yet (see kube-rs/kube#1003).

This commit introduces a workaround to address this limitation. This is
required to make sure users can run context aware policies against
minikube, k3d and other local development solution that deploy
kubernetes in this way.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
flavio added a commit to flavio/kwctl that referenced this issue Mar 15, 2023
@flavio
fix: grant access to minikube/k3d
c66912a 
kwctl is built using rustls enabled. Unfortunately rustls does not support
validating IP addresses yet (see kube-rs/kube#1003).

This commit introduces a workaround to address this limitation. This is
required to make sure users can run context aware policies against
minikube, k3d and other local development solution that deploy
kubernetes in this way.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
flavio added a commit to flavio/kwctl that referenced this issue Mar 16, 2023
@flavio
fix: grant access to minikube/k3d
14f1b84 
kwctl is built using rustls enabled. Unfortunately rustls does not support
validating IP addresses yet (see kube-rs/kube#1003).

This commit introduces a workaround to address this limitation. This is
required to make sure users can run context aware policies against
minikube, k3d and other local development solution that deploy
kubernetes in this way.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
flavio added a commit to kubewarden/kwctl that referenced this issue Mar 16, 2023
@flavio
fix: grant access to minikube/k3d
63a9806 
kwctl is built using rustls enabled. Unfortunately rustls does not support
validating IP addresses yet (see kube-rs/kube#1003).

This commit introduces a workaround to address this limitation. This is
required to make sure users can run context aware policies against
minikube, k3d and other local development solution that deploy
kubernetes in this way.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
@clux clux mentioned this issue Apr 3, 2023
Merged
@clux clux closed this as completed in #1184 Apr 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
client http issues with the client rustls rustls-tls related
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Avoid special Config::incluster behavior for rustls kube-rs/kube
3 participants
@clux @olix0r @MikailBag