grpc: set localhost Authority to unix client calls#112597
Merged
k8s-ci-robot merged 1 commit intokubernetes:masterfrom Oct 31, 2022
Merged
grpc: set localhost Authority to unix client calls#112597k8s-ci-robot merged 1 commit intokubernetes:masterfrom
k8s-ci-robot merged 1 commit intokubernetes:masterfrom
Conversation
Several reports exist (both with device plugins and CSI) that
kubelet w/ grpc-go sends invalid Authority header and some non
grpc-go servers reject these unix domain socket client connections.
grpc-go sets the Authority header correct when the dial address
is in a format where the its address scheme can be determined.
Instead of making changes to get the all server addresses to unix://
prefixed format, set grpc.WithAuthority("localhost") client connection
override to get the same result.
Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
Contributor
|
Hi @mythi. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Member
|
/ok-to-test |
Contributor
|
/lgtm I agree that this approach is more sensible than trying to adapt all paths. |
Contributor
|
/approve for kubelet |
Member
|
I wonder if we need to do the same for CRI as well. We do not set authority there either. |
Member
|
/priority important-longterm |
Contributor
Author
AFAIK the CRI endoints are forced to use |
Contributor
|
/assign @xing-yang For approval. |
Contributor
Author
|
@xing-yang does this look OK to you? |
Member
|
/approve |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jsafrane, klueska, mythi The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
phoracek
added a commit
to phoracek/kubevirt
that referenced
this pull request
Mar 31, 2023
Some non grpc-go servers fail with "protocol error" when contacted by KubeVirt's gRPC client. The suspected cause is that grpc-go sends invalid Authority headers when using unix domain sockets. This issue prevents implementation of hook sidecars in other languages, such as Go with its Tonic library. A similar issue was encountered in Kubernetes [1], where it was solved by explicitly setting the Authority header. This patch uses the same approach. [1] kubernetes/kubernetes#112597 Signed-off-by: Petr Horacek <hrck@protonmail.com>
victortoso
pushed a commit
to victortoso/kubevirt
that referenced
this pull request
Jun 22, 2023
Some non grpc-go servers fail with "protocol error" when contacted by KubeVirt's gRPC client. The suspected cause is that grpc-go sends invalid Authority headers when using unix domain sockets. This issue prevents implementation of hook sidecars in other languages, such as Go with its Tonic library. A similar issue was encountered in Kubernetes [1], where it was solved by explicitly setting the Authority header. This patch uses the same approach. [1] kubernetes/kubernetes#112597 Signed-off-by: Petr Horacek <hrck@protonmail.com>
victortoso
pushed a commit
to victortoso/kubevirt
that referenced
this pull request
Jun 29, 2023
Some non grpc-go servers fail with "protocol error" when contacted by KubeVirt's gRPC client. The suspected cause is that grpc-go sends invalid Authority headers when using unix domain sockets. This issue prevents implementation of hook sidecars in other languages, such as Go with its Tonic library. A similar issue was encountered in Kubernetes [1], where it was solved by explicitly setting the Authority header. This patch uses the same approach. [1] kubernetes/kubernetes#112597 Signed-off-by: Petr Horacek <hrck@protonmail.com>
VirrageS
pushed a commit
to VirrageS/kubevirt
that referenced
this pull request
Nov 17, 2023
Some non grpc-go servers fail with "protocol error" when contacted by KubeVirt's gRPC client. The suspected cause is that grpc-go sends invalid Authority headers when using unix domain sockets. This issue prevents implementation of hook sidecars in other languages, such as Go with its Tonic library. A similar issue was encountered in Kubernetes [1], where it was solved by explicitly setting the Authority header. This patch uses the same approach. [1] kubernetes/kubernetes#112597 Signed-off-by: Petr Horacek <hrck@protonmail.com>
This was referenced Aug 27, 2024
Closed
kvinwang
added a commit
to kvinwang/kubernetes
that referenced
this pull request
Feb 4, 2026
Add grpc.WithAuthority("localhost") to the dial function in plugin
manager. This fixes compatibility with Rust gRPC servers (tonic/h2)
that reject connections where the authority header contains the
Unix socket path instead of a valid hostname.
The same fix was applied to CSI client code in K8s PR kubernetes#112597, but
the plugin manager's dial function was missed.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind bug
What this PR does / why we need it:
Several reports exist (both with device plugins and CSI) that kubelet w/ grpc-go sends invalid Authority header and some non grpc-go servers reject these unix domain socket client connections.
grpc-go sets the Authority header correct when the dial address is in a format where the its address scheme can be determined.
Instead of making changes to get the all server addresses to unix:// prefixed format, set
grpc.WithAuthority("localhost")client connection override to get the same result.Which issue(s) this PR fixes:
Fixes #107093
Fixes #109081
Fixes #108254
Closes #109559
Special notes for your reviewer:
The alternative approach could be to ensure all addresses are sanitized and set to use
unix://scheme:TrimPrefix()+Snprintf().Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: