-
https://github.com/kubernetes/kubernetes/blob/release-1.9/cmd/kube-apiserver/app/server.go#L489
-
https://github.com/kubernetes/apiserver/search?utf8=%E2%9C%93&q=NewLoopbackClientConfig&type=
-
v1.9.7: https://github.com/kubernetes/kubernetes/blob/v1.9.7/cmd/kube-apiserver/app/server.go#L456
-
v1.9.8: https://github.com/kubernetes/kubernetes/blob/v1.9.8/cmd/kube-apiserver/app/server.go#L466
-
v1.10.2 - https://github.com/kubernetes/kubernetes/blob/v1.10.2/cmd/kube-apiserver/app/server.go#L511
Bugfix:
// resolve kubernetes.default.svc locally
localHost, err := url.Parse(genericConfig.LoopbackClientConfig.Host)
if err != nil {
lastErr = err
return
}
serviceResolver = aggregatorapiserver.NewLoopbackServiceResolver(serviceResolver, localHost)
func (r *loopbackResolver) ResolveEndpoint(namespace, name string) (*url.URL, error) {
if namespace == "default" && name == "kubernetes" {
return r.host, nil
}
return r.delegate.ResolveEndpoint(namespace, name)
}
Since prior to v1.9.8, kubernetes.default.svc
will resolve to any kube-apiserver pod ip, in a multi-master setup. When self-hosted webhook requests will go to a different master the randomly generated uuid token will fail and result in Unauthorized
.
Issue: kubernetes/kubernetes#62649