Merge pull request #64644 from Random-Liu/address-comments-in-#64006

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Address comments in #64006. Address comments in #64006 @tallclair @yujuhong @kubernetes/sig-node-pr-reviews Signed-off-by: Lantao Liu <lantaol@google.com> **Release note**: ```release-note none ```
2025-07-22 19:31:44 +00:00 · 2018-06-03 06:31:26 -07:00 · 2018-06-03 06:31:26 -07:00 · 2b26234003
commit 2b26234003
parent 0ecfd343b3 9677616eaf
3 changed files with 12 additions and 8 deletions
--- a/pkg/kubelet/config/flags.go
+++ b/pkg/kubelet/config/flags.go
@ -86,7 +86,7 @@ func (s *ContainerRuntimeOptions) AddFlags(fs *pflag.FlagSet) {
 	// General settings.
 	fs.StringVar(&s.ContainerRuntime, "container-runtime", s.ContainerRuntime, "The container runtime to use. Possible values: 'docker', 'remote', 'rkt (deprecated)'.")
 	fs.StringVar(&s.RuntimeCgroups, "runtime-cgroups", s.RuntimeCgroups, "Optional absolute name of cgroups to create and run the runtime in.")
-	fs.BoolVar(&s.RedirectContainerStreaming, "redirect-container-streaming", s.RedirectContainerStreaming, "Enables container streaming redirect. If false, kubelet will proxy container streaming data between apiserver and container runtime; if true, kubelet will return an http redirect to apiserver, and apiserver will access container runtime directly. The proxy approach is more secure, but introduces some overhead. The redirect approach is more performant, but less secure because the connection between apiserver and container runtime is not authenticated.")
+	fs.BoolVar(&s.RedirectContainerStreaming, "redirect-container-streaming", s.RedirectContainerStreaming, "Enables container streaming redirect. If false, kubelet will proxy container streaming data between apiserver and container runtime; if true, kubelet will return an http redirect to apiserver, and apiserver will access container runtime directly. The proxy approach is more secure, but introduces some overhead. The redirect approach is more performant, but less secure because the connection between apiserver and container runtime may not be authenticated.")

 	// Docker-specific settings.
 	fs.BoolVar(&s.ExperimentalDockershim, "experimental-dockershim", s.ExperimentalDockershim, "Enable dockershim only mode. In this mode, kubelet will only start dockershim without any other functionalities. This flag only serves test purpose, please do not use it unless you are conscious of what you are doing. [default=false]")
--- a/pkg/kubelet/dockershim/docker_service.go
+++ b/pkg/kubelet/dockershim/docker_service.go
@ -411,7 +411,7 @@ func (ds *dockerService) Start(stopCh <-chan struct{}) error {
 		}()
 		go func() {
 			if err := ds.streamingServer.Start(true); err != nil && err != http.ErrServerClosed {
-				glog.Fatalf("Failed to start streaming server: %v", err)
+				glog.Fatalf("Streaming server stopped unexpectedly: %v", err)
 			}
 		}()
 	}
--- a/pkg/kubelet/server/server.go
+++ b/pkg/kubelet/server/server.go
@ -631,6 +631,13 @@ func (r *responder) Error(w http.ResponseWriter, req *http.Request, err error) {
 	http.Error(w, err.Error(), http.StatusInternalServerError)
 }

+// proxyStream proxies stream to url.
+func proxyStream(w http.ResponseWriter, r *http.Request, url *url.URL) {
+	// TODO(random-liu): Set MaxBytesPerSec to throttle the stream.
+	handler := proxy.NewUpgradeAwareHandler(url, nil /*transport*/, false /*wrapTransport*/, true /*upgradeRequired*/, &responder{})
+	handler.ServeHTTP(w, r)
+}
+
 // getAttach handles requests to attach to a container.
 func (s *Server) getAttach(request *restful.Request, response *restful.Response) {
 	params := getExecRequestParams(request)
@ -657,8 +664,7 @@ func (s *Server) getAttach(request *restful.Request, response *restful.Response)
 		http.Redirect(response.ResponseWriter, request.Request, url.String(), http.StatusFound)
 		return
 	}
-	handler := proxy.NewUpgradeAwareHandler(url, nil /*transport*/, false /*wrapTransport*/, false /*upgradeRequired*/, &responder{})
-	handler.ServeHTTP(response.ResponseWriter, request.Request)
+	proxyStream(response.ResponseWriter, request.Request, url)
 }

 // getExec handles requests to run a command inside a container.
@ -686,8 +692,7 @@ func (s *Server) getExec(request *restful.Request, response *restful.Response) {
 		http.Redirect(response.ResponseWriter, request.Request, url.String(), http.StatusFound)
 		return
 	}
-	handler := proxy.NewUpgradeAwareHandler(url, nil /*transport*/, false /*wrapTransport*/, false /*upgradeRequired*/, &responder{})
-	handler.ServeHTTP(response.ResponseWriter, request.Request)
+	proxyStream(response.ResponseWriter, request.Request, url)
 }

 // getRun handles requests to run a command inside a container.
@ -753,8 +758,7 @@ func (s *Server) getPortForward(request *restful.Request, response *restful.Resp
 		http.Redirect(response.ResponseWriter, request.Request, url.String(), http.StatusFound)
 		return
 	}
-	handler := proxy.NewUpgradeAwareHandler(url, nil /*transport*/, false /*wrapTransport*/, false /*upgradeRequired*/, &responder{})
-	handler.ServeHTTP(response.ResponseWriter, request.Request)
+	proxyStream(response.ResponseWriter, request.Request, url)
 }

 // ServeHTTP responds to HTTP requests on the Kubelet.