K
Q

How to set no_proxy in Kubernetes pods

9/12/2018

Because my Kubernetes Cluster is behind a corporate proxy, I need to set http/https proxy in pods via environment variables and set no_proxy to allow inter-pod and inter-service communication and communication with other local private servers.

Proxy http/https configuration worked perfectly when passing to the pods through env variables; but no_proxy did not work well and it breaks internal pod/service communication.

I have tried unsuccessfully to set no_proxy and NO_PROXY at different levels in Kubernetes, mainly at:

  • Docker daemon: /etc/systemd/system/docker.service.d/http-proxy.conf
  • Docker client: /root/.docker/config.json (although it does not seem applicable when using Docker v1.13.1 on CentOS)
  • Docker client: through environment variables passed to the pods at creation time, in the yaml file used to run them with kubectl
  • Kubernetes master and worker nodes as environment variables
  • and many combinations of the above settings

Proxy configuration within PODs succeeded with env variables inside the PODs:

export http_proxy="http://10.16.1.1:8080"
export https_proxy="https://10.16.1.1:8080"

But, none of the above worked for no_proxy exceptions, and I tried many syntax and also added my nodes, pod & service networks, and .svc (as suggested for OpenShift)... as listed below:

export no_proxy=".svc,.example.com"
export no_proxy="localhost,127.0.0.0/8,10.1.16.0/24,10.240.0.0/16,10.241.0.0/16,*.domain.com"
export no_proxy=".svc,.default,.local,.cluster.local,localhost,127.0.0.0/8,10.1.16.0/24,10.240.0.0/16,10.241.0.0/16,.domain.com"
export NO_PROXY=$no_proxy

I am using Kubernetes v1.11.2 + Docker v1.13.1 on CentOS7;
Any help would be appreciated.

-- geomar
docker
kubernetes

Similar Questions

Multiple MySQL Kubernetes pods with CrashLoopBackOff status
Azure AKS Attempting to reclaim ephemeral-storage
`kubectl get hpa` showing targets as unknown and not autoscaling the pod when the load is increased?
Kubernetes: Can not curl minikube pod
Embedded Hazelcast in Kubernetes does not form a cluster

3 Answers

10/4/2018

I took a closer look at this case, and it turns out the problem here lies in the environment variables. The no_proxy variable does not support network ranges.

So, in theory, you could use some init scripts to exclude required networks. However, it will be really tricky as there might be many addresses to put in there.
Unfortunately, I am not that experienced with networking, so I can not help you a lot more on how to workaround this. You can find more about proxies here. You can read more about it in this case. Set a network range in the no_proxy environment variable

-- aurelius
Source: StackOverflow
11/13/2019

I had the same problem with OKD and I solved adding the following env variables to the deployment.yaml

    spec:
      containers:
        - env:
            - name: HTTP_PROXY
            - name: HTTPS_PROXY
            - name: http_proxy
            - name: no_proxy
            - name: https_proxy

Some variables could be redundant, but I didn't have time to test. I hope it helps.

-- user93790
Source: StackOverflow
9/8/2019

We can make a reasonable assumption that we don't directly use IP address to access external network servers. In other words, we use FQDN to access, say python.com, google.com, github.com, but not directly using their IP addresses.

With this assumption, we can bypass web-proxy for all direct IP address access.

export no_proxy=localhost,.svc
printf -v allip '%s,' .{0..255}
export no_proxy="$no_proxy,${allip%,}"

This adds .0,.1,.2,...,.255 to the no_proxy env variable. There is no magic here. We just treat IP address as FQDN, so a suffix match works as FQDN no_proxy setting. Say, .120 would match all IP addresses x.x.x.122.

-- B.Z.
Source: StackOverflow