Merge pull request #34615 from Calpicow/master

Automatic merge from submit-queue Use same SSH tunnel as kubelet Provides a secure workaround for #11816 by having kube-apiserver use the same SSH tunnel as the kubelet it is trying to connect to. Use in conjunction with iptables or kubelet `--address=127.0.0.1`. The latter will break heapster. Will fallback to random behavior if the tunnel cannot be found.
2025-08-08 11:38:15 +00:00 · 2016-10-15 02:53:08 -07:00 · 2016-10-15 02:53:08 -07:00 · a38fc047e2
commit a38fc047e2
parent f418cd3d46 6f9fd4431a
1 changed files with 11 additions and 2 deletions
--- a/pkg/ssh/ssh.go
+++ b/pkg/ssh/ssh.go
@ -32,6 +32,7 @@ import (
 	"net/http"
 	"net/url"
 	"os"
+	"strings"
 	"sync"
 	"time"

@ -391,19 +392,27 @@ func (l *SSHTunnelList) Dial(net, addr string) (net.Conn, error) {
 	defer func() {
 		glog.Infof("[%x: %v] Dialed in %v.", id, addr, time.Now().Sub(start))
 	}()
-	tunnel, err := l.pickRandomTunnel()
+	tunnel, err := l.pickTunnel(strings.Split(addr, ":")[0])
 	if err != nil {
 		return nil, err
 	}
 	return tunnel.Dial(net, addr)
 }

-func (l *SSHTunnelList) pickRandomTunnel() (tunnel, error) {
+func (l *SSHTunnelList) pickTunnel(addr string) (tunnel, error) {
 	l.tunnelsLock.Lock()
 	defer l.tunnelsLock.Unlock()
 	if len(l.entries) == 0 {
 		return nil, fmt.Errorf("No SSH tunnels currently open. Were the targets able to accept an ssh-key for user %q?", l.user)
 	}
+	// Prefer same tunnel as kubelet
+	// TODO: Change l.entries to a map of address->tunnel
+	for _, entry := range l.entries {
+		if entry.Address == addr {
+			return entry.Tunnel, nil
+		}
+	}
+	glog.Warningf("SSH tunnel not found for address %q, picking random node", addr)
 	n := mathrand.Intn(len(l.entries))
 	return l.entries[n].Tunnel, nil
 }