Skip to content

Instantly share code, notes, and snippets.

@tamalsaha

tamalsaha/kube-apiserver-unauthorized.md

Last active August 20, 2018 15:30
Show Gist options
  • Save tamalsaha/78b772f6f0a28d7725221e76b3e48611 to your computer and use it in GitHub Desktop.
Save tamalsaha/78b772f6f0a28d7725221e76b3e48611 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
kube-apiserver-unauthorized.md

ServiceResolver

Bugfix:

	// resolve kubernetes.default.svc locally
	localHost, err := url.Parse(genericConfig.LoopbackClientConfig.Host)
	if err != nil {
		lastErr = err
		return
	}
	serviceResolver = aggregatorapiserver.NewLoopbackServiceResolver(serviceResolver, localHost)

func (r *loopbackResolver) ResolveEndpoint(namespace, name string) (*url.URL, error) {
	if namespace == "default" && name == "kubernetes" {
		return r.host, nil
	}
	return r.delegate.ResolveEndpoint(namespace, name)
}

Since prior to v1.9.8, kubernetes.default.svc will resolve to any kube-apiserver pod ip, in a multi-master setup. When self-hosted webhook requests will go to a different master the randomly generated uuid token will fail and result in Unauthorized.

Issue: kubernetes/kubernetes#62649

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment