K
Q

PGadmin4 on Kubernetes: Session invalidated when using ELB

2/11/2019

I have a weird problem with PGAdmin4.

My setup

  • pgadmin 4.1 deployed on kubernetes using the chorss/docker-pgadmin4 image. One POD only to simplify troubleshooting;
  • Nginx ingress controller as reverse proxy on the cluster;
  • Classic ELB in front to load balance incoming traffic on the cluster.

ELB <=> NGINX <=> PGADMIN

From a DNS point of view, the hostname of pgadmin is a CNAME towards the ELB.

The problem

Application is correctly reachable, users can login and everything works just fine. Problem is that after a couple of (roughly 2-3) minutes the session is invalidated and users are requested to login again. This happens regardless of the fact that pgadmin is actively used or not.

After countless hours of troubleshooting, I found out that the problem happens when the DNS resolution of ELB's CNAME switches to another IP address.

In fact, I tried:

  • connecting to the pod directly by connecting to the k8s service's node port directly => session doesn't expire;
  • connecting to nginx (bypassing the ELB) directly => session doesn't expire;
  • mapping one of the ELB's IP addresses in my hosts file => session doesn't expire.

Given the above test, I'd conclude that the Flask app (PGAdmin4 is a Python Flask application apparently) is considering my cookie invalid after the remote address changes for my hostname.

Any Flask developer that can help me fix this problem? Any other idea about something I might be missing?

-- whites11
flask
flask-session
kubernetes
pgadmin-4

Similar Questions

How can we expose Kubernetes services to the public in AWS without using LoadBalancers?
kuberctl not work with remote cluster on windows
Nginx reverse proxy URL getting rewritten
multiple Gateways on different ports of the same istio-proxy deployment not working as expected

2 Answers

2/19/2019

PGadmin 4 seems to use Flask-Security for authentication:

pgAdmin utilised the Flask-Security module to manage application security and users, and provides options for self-service password reset and password changes etc.

https://www.pgadmin.org/docs/pgadmin4/dev/code_overview.html

Flask-Security seems to use Flask-Login:

Many of these features are made possible by integrating various Flask extensions and libraries. They include: Flask-Login ...

https://pythonhosted.org/Flask-Security/

Flask-Login seems to have a feature called "session protection":

When session protection is active, each request, it generates an identifier for the user’s computer (basically, a secure hash of the IP address and user agent). If the session does not have an associated identifier, the one generated will be stored. If it has an identifier, and it matches the one generated, then the request is OK.

https://flask-login.readthedocs.io/en/latest/#session-protection

I would assume setting login_manager.session_protection = None would solve the issue, but unfortunately I don't know how to set it in PGadmin. Hope it might help you somehow.

-- Pampy
Source: StackOverflow
8/11/2019

For those looking for a solution, You need to add below to config.py or config_distro.py or config_local.py

config_local.py

SESSION_PROTECTION = None
-- Tarun Lalwani
Source: StackOverflow