K
Q

How do I exclude proxy env vars from pods for Kubernetes/OpenShift?

12/19/2018

There are a set of proxy environment variables (http_proxy, HTTP_PROXY, https_proxy, HTTPS_PROXY, no_proxy, NO_PROXY) in my OpenShift pods that I did not explicitly include and I do not want them there.

For example

$ oc run netshoot -it --image docker-registry.default.svc:5000/default/netshoot -- bash
If you don't see a command prompt, try pressing enter.

bash-4.4$ env | grep -i proxy | sort
HTTPS_PROXY=http://xx.xx.xx.xx:8081/
HTTP_PROXY=http://xx.xx.xx.xx:8081/
NO_PROXY=.cluster.local,.mydomain.nz,.localdomain.com,.svc,10.xx.xx.xx,127.0.0.1,172.30.0.1,app01.mydomain.nz,app02.mydomain.nz,inf01.mydomain.nz,inf02.mydomain.nz,mst01.mydomain.nz,localaddress,localhost,.edpay.nz
http_proxy=xx.xx.xx.xx:8081
https_proxy=xx.xx.xx.xx:8081
no_proxy=.cluster.local,.mydomain.nz,.localdomain.com,.svc,10.xx.xx.xx,127.0.0.1,172.30.0.1,app01.mydomain.nz,app02.mydomain.nz,inf01.mydomain.nz,inf02.mydomain.nz,mst01.mydomain.nz,localaddress,localhost,.edpay.nz

I have yet to track down how those env vars are getting into my pods.

I am not Setting Proxy Environment Variables in Pods.

$ oc get pod netshoot-1-hjp2p -o yaml | grep -A 10 env
[no output]

$ oc get deploymentconfig netshoot -o yaml | grep -A 10 env
[no output]

I am not Creating Pod Presets

$ oc get podpresets --all-namespaces
No resources found.

Docker on my master/app nodes have no proxy env vars.

$ grep -i proxy /etc/sysconfig/docker
[no output]

Kubelet (openshift-node) on my master/app nodes have no proxy env vars.

$ grep -i proxy /etc/sysconfig/atomic-openshift-node
[no output]

Master components on my master nodes have no proxy env vars.

$ grep -i proxy /etc/sysconfig/atomic-openshift-master
[no output]

$ grep -i proxy /etc/sysconfig/atomic-openshift-master-api
[no output]

$ grep -i proxy /etc/sysconfig/atomic-openshift-master-controllers
[no output]

Contents of sysconfig files (not including comments)

$ cat /etc/sysconfig/atomic-openshift-master
OPTIONS="--loglevel=0"
CONFIG_FILE=/etc/origin/master/master-config.yaml

$ cat /etc/sysconfig/atomic-openshift-node
OPTIONS=--loglevel=2
CONFIG_FILE=/etc/origin/node/node-config.yaml
IMAGE_VERSION=v3.9.51

$ cat /etc/sysconfig/docker
OPTIONS=' --selinux-enabled       --signature-verification=False         --insecure-registry 172.30.0.0/16'
if [ -z "${DOCKER_CERT_PATH}" ]; then
    DOCKER_CERT_PATH=/etc/docker
fi
ADD_REGISTRY='--add-registry registry.access.redhat.com'

$ cat /etc/sysconfig/atomic-openshift-master-api
OPTIONS=--loglevel=2 --listen=https://0.0.0.0:8443 --master=https://mst01.mydomain.nz:8443
CONFIG_FILE=/etc/origin/master/master-config.yaml
OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000

$ cat /etc/sysconfig/atomic-openshift-master-controllers
OPTIONS=--loglevel=2 --listen=https://0.0.0.0:8444
CONFIG_FILE=/etc/origin/master/master-config.yaml
OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000

I'm at a loss as to how those proxy env vars are getting into my pods.

Versions:

  • OpenShift v3.9.51
-- Everett Toews
docker
kubernetes
openshift

Similar Questions

Google Cloud Engine Use Https Load Balancer
Kubernetes Ingress Service
Kubernetes Loadbalancer redirecting to HTTPs when application is on port 80
kubernetes scheduling for expensive resources
Kubernetes Dashboard CrashLoopBackOff: timeout error on Raspberry Pi cluster
How do I redirect Ansible to use files in a role directory?
Azure kubernetes - mount Azure blob as a volume and write using python?

1 Answer

1/22/2019

We finally figured this out. We had openshift_http_proxy, openshift_https_proxy, and openshift_no_proxy set in our installer inventory variables as per Configuring Global Proxy Options.

We knew that this meant it also implicitly set the openshift_builddefaults_http_proxy, openshift_builddefaults_https_proxy, and openshift_builddefaults_no_proxy installer inventory variables and according to the docs

This variable defines the HTTP_PROXY environment variable inserted into builds using the BuildDefaults admission controller. If you do not define this parameter but define the openshift_http_proxy parameter, the openshift_http_proxy value is used. Set the openshift_builddefaults_http_proxy value to False to disable default http proxy for builds regardless of the openshift_http_proxy value.

What we did not know (and I would argue is not at all clear from the description above), is that setting those installer inventory variables sets the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY env vars permanently within your images.

It's painfully apparent now when we look back on the build logs and see lines like this

...
Step 2/19 : ENV "HTTP_PROXY" "xxx.xxx.xxx.xxx" "HTTPS_PROXY" "xxx.xxx.xxx.xxx" "NO_PROXY" "127.0.0.1,localhost,172.30.0.1,.svc,.cluster.local" "http_proxy" "xxx.xxx.xxx.xxx" "https_proxy" "xxx.xxx.xxx.xxx" "no_proxy" "127.0.0.1,localhost,172.30.0.1,.svc,.cluster.local"
...

We couldn't exclude proxy env vars from the pods because those env vars were set at build time.

-- Everett Toews
Source: StackOverflow