Skip to content

sec-websocket-protocol header defaults to v4.channel.k8s.io causing HTTP 400 #2355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Schille opened this issue Feb 18, 2025 · 5 comments
Open

sec-websocket-protocol header defaults to v4.channel.k8s.io causing HTTP 400 #2355

Schille opened this issue Feb 18, 2025 · 5 comments
Assignees
@seans3
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug.

Comments

@Schille
Copy link

Schille commented Feb 18, 2025

What happened (please include outputs or screenshots):
We are running our tool Gefyra to fetch environment variables from a running pod/container via a usual stream over connect_get_namespaced_pod_exec:

https://github.com/gefyrahq/gefyra/blob/42879723d8a9265ed77faab3b23c47763950a461/client/gefyra/cluster/utils.py#L26-L36

In one of our environments, I am receiving an HTTP 400 for the WebSocket upgrade call. However, the equivalent kubectl exec ... executes properly.

From somewhere in the stack trace: websocket._exceptions.WebSocketBadStatusException: Handshake status 400 Bad Request - ...

So I looked for the differences between kubectl (v1.31.1) and the Python package (31.0.0). I was able to trace the problem back to the sec-websocket-protocol header, which defaults to v4.channel.k8s.io

python/kubernetes/base/stream/ws_client.py

Lines 468 to 472 in 230925f

if headers and 'sec-websocket-protocol' in headers:
header.append("sec-websocket-protocol: %s" %
headers['sec-websocket-protocol'])
else:
header.append("sec-websocket-protocol: v4.channel.k8s.io")

The value of the sec-websocket-version is set to 13 with both kubectl and kubernetes-python.
Unfortunately, I couldn't find many sources on this, except https://kubernetes.io/blog/2024/08/20/websockets-transition/.

After patching the content of kubernetes/base/stream/ws_client.py in my site-packages to v5.channel.k8s.io it started to work again.
Now I am looking for a solution to pass this header from our code to get rid of the monkeypatch, but without constructing the WSClient myself.

Is this some special setting in our environment (I mean to prevent v4.channel.k8s.io from working) or does that apply to all K8s clusters starting from 1.30.x?

What you expected to happen:
The stream over connect_get_namespaced_pod_exec to work with sec-websocket-protocol set to v5.channel.k8s.io.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:

  • Kubernetes version (kubectl version):
Client Version: v1.31.1
Kustomize Version: v5.4.2
Server Version: v1.30.1
  • OS (e.g., MacOS 10.13.6):
Linux/Container
  • Python version (python --version)
Python 3.9.20
  • Python client version (pip list | grep kubernetes)
kubernetes            31.0.0

Thank you for your good work.
@Schille Schille added the kind/bug Categorizes issue or PR as related to a bug. label Feb 18, 2025
BhaskarSrinivasK pushed a commit to BhaskarSrinivasK/kubectl-python that referenced this issue Feb 23, 2025
Resolved the issue kubernetes-client#2355
9569f77
@BhaskarSrinivasK
Copy link

The commit I pushed make sure that the client defaults to v5.channel.k8s.io like the kubectl.

@roycaihw
Copy link
Member

/help

@k8s-ci-robot
Copy link
Contributor

@roycaihw:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

  • Why are we solving this issue?
  • To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
  • Does this issue have zero to low barrier of entry?
  • How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Feb 26, 2025
@roycaihw
Copy link
Member

cc @seans3

@seans3
Copy link

seans3 commented Feb 26, 2025

/assign

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@seans3 seans3

Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Schille @roycaihw @seans3 @k8s-ci-robot @BhaskarSrinivasK