feat(api-server): aggregator + pod/service proxy fixes#45
Open
indyjonesnl wants to merge 2 commits into
Open
Conversation
Match upstream Kubernetes v1.35 semantics for `/proxy/{path}` subresources
so that conformance tests "Proxy through service + pod" pass:
- Use `OriginalUri` to read the request path verbatim, preserving any
trailing slash so `/proxy/foo/` is forwarded to the backend as `/foo/`
(and `/proxy/foo` as `/foo`). The previous code stripped the trailing
slash via Axum's `*path` capture.
- Forward the raw query string instead of rebuilding it from a
`HashMap`. The HashMap form lost ordering, duplicate keys, and exact
encoding — all observable to backends.
- Map the HTTP method to the K8s authorization verb (GET→get, POST→
create, PUT→update, PATCH→patch, DELETE→delete) for the
`pods/proxy`, `services/proxy`, and `nodes/proxy` subresources, so
RBAC rules can scope mutations separately from reads.
- Resolve `pod:portname` style URLs against named container ports
across all containers in the pod, matching `pkg/registry/core/pod/
strategy.go ResourceLocation`.
Adds 11 new unit tests covering verb mapping, trailing-slash
preservation, encoded characters, and named-port resolution; plus an
integration test confirming a pod's named container port survives a
storage round trip.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
… backends Closes a slice of the v1.35 conformance gap for the [Conformance].*Aggregator.*sample tests. The router's APIService proxy now mirrors kube-aggregator semantics: it forwards the request body, query string, and an impersonation header set (X-Remote-User, X-Remote-Group, X-Remote-Extra-*) so the backend can authorise the original caller, while dropping the inbound Authorization to prevent token leakage. TLS uses the APIService caBundle when present and honours insecureSkipTLSVerify. The /apis discovery list now merges in groups registered via APIService so clients can discover aggregated APIs. create_apiservice no longer claims Available=True for service-backed APIServices on creation — it now seeds Available=Unknown/Pending and lets the APIServiceAvailabilityController drive the truth. Tests cover header construction (impersonation + allow-list + Authorization drop), target resolution (ClusterIP / Endpoints / 503), discovery merge, query-string forwarding, and the unreachable-backend 503 path against a warp mock. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Two proxy-layer features required by conformance.
`feat: pod/service proxy preserves trailing slash and named ports`
The `/api/v1/namespaces/{ns}/pods/{name}/proxy/{path...}` (and the service equivalent) had two K8s-conformance bugs:
`feat(api-server): aggregator forwards auth, body, query to APIService backends`
Aggregated APIService backends (e.g., metrics-server) received bare GETs with no Authorization header, no request body, and no query string. Now the aggregator copies:
plus sets X-Remote-* headers for the backend's auth chain.
Verification
`cargo build --workspace --locked` clean. Depends on #32 for green CI.