Because my Kubernetes Cluster is behind a corporate proxy, I need to set http/https proxy in pods via environment variables and set no_proxy to allow inter-pod and inter-service communication and communication with other local private servers.
Proxy http/https configuration worked perfectly when passing to the pods through env variables; but no_proxy did not work well and it breaks internal pod/service communication.
I have tried unsuccessfully to set no_proxy and NO_PROXY at different levels in Kubernetes, mainly at:
Proxy configuration within PODs succeeded with env variables inside the PODs:
export http_proxy="http://10.16.1.1:8080"
export https_proxy="https://10.16.1.1:8080"
But, none of the above worked for no_proxy exceptions, and I tried many syntax and also added my nodes, pod & service networks, and .svc (as suggested for OpenShift)... as listed below:
export no_proxy=".svc,.example.com"
export no_proxy="localhost,127.0.0.0/8,10.1.16.0/24,10.240.0.0/16,10.241.0.0/16,*.domain.com"
export no_proxy=".svc,.default,.local,.cluster.local,localhost,127.0.0.0/8,10.1.16.0/24,10.240.0.0/16,10.241.0.0/16,.domain.com"
export NO_PROXY=$no_proxy
I am using Kubernetes v1.11.2 + Docker v1.13.1 on CentOS7;
Any help would be appreciated.
I took a closer look at this case, and it turns out the problem here lies in the environment variables. The no_proxy
variable does not support network ranges.
So, in theory, you could use some init scripts to exclude required networks. However, it will be really tricky as there might be many addresses to put in there.
Unfortunately, I am not that experienced with networking, so I can not help you a lot more on how to workaround this. You can find more about proxies here. You can read more about it in this case. Set a network range in the no_proxy environment variable
I had the same problem with OKD and I solved adding the following env variables to the deployment.yaml
spec:
containers:
- env:
- name: HTTP_PROXY
- name: HTTPS_PROXY
- name: http_proxy
- name: no_proxy
- name: https_proxy
Some variables could be redundant, but I didn't have time to test. I hope it helps.
We can make a reasonable assumption that we don't directly use IP address to access external network servers. In other words, we use FQDN to access, say python.com, google.com, github.com, but not directly using their IP addresses.
With this assumption, we can bypass web-proxy for all direct IP address access.
export no_proxy=localhost,.svc
printf -v allip '%s,' .{0..255}
export no_proxy="$no_proxy,${allip%,}"
This adds .0,.1,.2,...,.255
to the no_proxy env variable. There is no magic here. We just treat IP address as FQDN, so a suffix match works as FQDN no_proxy setting. Say, .120 would match all IP addresses x.x.x.122.