Catch kubelet-master hostname mismatch during health check

During the kubelet's /healthz responce check to see if the hostname used by the master matches the hostname the kubelet knows itself by. If not fail the health check. Signed-off-by: Sami Wagiaalla <swagiaal@redhat.com>
2025-09-11 06:02:18 +00:00 · 2015-02-09 11:40:42 -05:00
parent eedd9ec317
commit 9150cb9d95
4 changed files with 88 additions and 0 deletions
--- a/pkg/kubelet/server.go
+++ b/pkg/kubelet/server.go
@@ -78,6 +78,7 @@ type HostInterface interface {
 	ServeLogs(w http.ResponseWriter, req *http.Request)
 	PortForward(name string, uid types.UID, port uint16, stream io.ReadWriteCloser) error
 	StreamingConnectionIdleTimeout() time.Duration
+	GetHostname() string
 }

 // NewServer initializes and configures a kubelet.Server object to handle HTTP requests.
@@ -148,6 +149,25 @@ func (s *Server) handleHealthz(w http.ResponseWriter, req *http.Request) {
 		s.error(w, errors.New("Docker version is too old ("+version+")"))
 		return
 	}
+
+	masterHostname, _, err := net.SplitHostPort(req.Host)
+	if err != nil {
+		if !strings.Contains(req.Host, ":") {
+			masterHostname = req.Host
+		} else {
+			msg := fmt.Sprintf("Could not parse hostname from http request: %v", err)
+			s.error(w, errors.New(msg))
+			return
+		}
+	}
+
+	// Check that the hostname known by the master matches the hostname
+	// the kubelet knows
+	hostname := s.host.GetHostname()
+	if masterHostname != hostname {
+		s.error(w, errors.New("Kubelet hostname \""+hostname+"\" does not match the hostname expected by the master \""+masterHostname+"\""))
+		return
+	}
 	w.Write([]byte("ok"))
 }