Django ALLOWED_HOSTS and ELB health checks

[pmac]

Here's the issue: when using http health checks the host header that comes with the request will be simply the IP of the node that the check hits. This IP will be for any node in the cluster since the ELB knows about all of them and will hit any one at any given time. This node will then forward that request to a node that it knows is running the service based on the NodePort that was hit. This means that the IP in the host header of the request could be the IP of any node in the cluster, and not necessarily the one that has the IP from the host header. So every instance of the app running in the cluster will need to have all IPs of all nodes in its ALLOWED_HOSTS setting. This is even more a problem if a new node is added to the cluster as updating the ALLOWED_HOSTS setting for each instance of the app will mean at best a rolling-restart so that it can pick up the new list of IPs and be able to respond to health-checks on this new node.

My current thinking is that we should avoid putting a list of IPs in ALLOWED_HOSTS and instead write a custom middleware for checking the host header. This will get our IP range and verify that the host header, if it's an IP, is in that range. If not it will fall back to checking against a list of allowed hosts.

I'm definitely open to other ideas for this, but doing our own custom check seems to be the best option. Other options I considered:

• Create another custom subclass of WSGIRequest like we did for the HTTPS=on thing, overriding the get_host() method to do the above checking, falling back to super() if the IP was not validated.
• Add every IP in our range for the cluster to the ALLOWED_HOSTS setting. This seemed a bit extreme and possibly error prone.
• Somehow exempt /healthz/ from the host header check. I can't see a way to do this. I'm pretty sure that it's the fault of a middleware that the get_host() method is run on every request, but I'm not positive.
• Run some separate process to handle the healthcheck. Not a great healthcheck and would make things more complex and fragile.

/cc @metadave @glogiotatidis @jgmize

[escattone]

@pmac For the livenessProbe and readinessProbe, k8s provides the ability to set one or more headers to use when making the request. Here's what I did on MDN:

infra/apps/mdn/mdn-aws/k8s/kuma.deploy.yaml.j2

Line 19 in 1259067

httpHeaders:

[pmac]

@escattone thanks! I think this one is more a problem for the AWS ELB health checks. Hopefully we can do exactly what you have there for the k8s bits.

[glogiotatidis]

I wish ELBs allowed for custom headers to implement something similar to what @escattone suggests (which will be useful elsewhere, thanks!).

Since we can't get the node IP from AWS metadata server, my next thought was allow all ips from the subnet, which feels hacky

ALLOWED_HOSTS.append(['172.1.1.%d' for x in range(256)])

I like what jgmize suggested about using the k8s api and I did some testing

from kubernetes import client, config
config.incluster_config.load_incluster_config()
v1 = client.CoreV1Api()
ALLOWED_HOSTS = [[addr.address for addr in node.status.addresses if addr.type == 'InternalIP']
                 for node in v1.list_node().items]]

If run from within the cluster no extra configuration is needed thanks for load_incluster_config(). The only extra dep is kubernetes library.

This is even more a problem if a new node is added

I don't think that adding a new node will be a problem: The new node will get new pods running on it and the new pods will get all the IPs -including the new one-. The older pods will not have the new IP, but none of them is using the new IP either. In other words the IP of the Node each Pod is running on will be known to Django.

The middleware is a good solution too, maybe I bit more involved imho.

[pmac]

In other words the IP of the Node each Pod is running on will be known to Django.

That should be the case. But my understanding is that each node will send requests for a certain node port to a random container. So the new node could (or definitely would?) forward a request to an old node. The containers on this old node wouldn't know about the new node, but the request from the ELB would have come to the new node IP and would therefore have an IP in the Host header that the container hadn't seen. It might be an edge case but that's my understanding of how k8s works. Please correct me if I'm wrong on this though.

[bookshelfdave]

Add every IP in our range for the cluster to the ALLOWED_HOSTS setting. This seemed a bit extreme and possibly error prone.

Yes, there are 8192 IPs in some of our subnets, checking that set on every request seems a bit much.

The new node will get new pods running on it and the new pods will get all the IPs -including the new one-.

I don't believe there is a guarantee that K8s will schedule a SUMO web pod on every node (ex: simple case: 5 nodes, 3 pods). Setting # pods == # nodes isn't guaranteed to schedule a pod on every node either.

Keep in mind that if the health check fails, the node will be removed from ELB instances, so this has to be foolproof.

[jgmize]

Good point on the new node edge case, @pmac. I think your original middleware proposal is probably the way to go. Others have had success with this approach: https://stackoverflow.com/a/36222755

[pmac]

Saw that one. I'd like to be more robust than that (e.g. 192.168.malicious-site.org would be allowed), but that's the basic idea. We'd just need a setting for the site or a way via the k8s API to get our subnet and filter based on that.

[pmac]

Just tried this with the netaddr package:

>>> from netaddr import IPNetwork
>>> ip = IPNetwork('172.20.32.0/19')
>>> ip
IPNetwork('172.20.32.0/19')
>>> '172.20.42.22' in ip
True
>>> '172.21.42.22' in ip
False

[bookshelfdave]

@pmac I think that's the safest route, the internal node CIDR for each cluster is available in the kops config. We could set it in the deployment (maybe as a secret?)

[pmac]

I think this will be best as a package. I'll get going on this. Shouldn't take long.

[escattone]

@pmac Sorry, I didn't read it carefully enough!