-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hardeneks doesn't work through the SSH tunnel #19
Comments
Hi @elibogomolnyi, thank you very much for trying hardeneks and creating an issue. I will try to reproduce your issue on my end. Hardeneks uses kubernetes python api underneath (https://github.com/kubernetes-client/python). I saw similar issues before from that library where people are able to kubectl but sometimes when they try the same operations through the python api it does not work: Can you try to add the --insecure-skip-tls-verify flag to see if this about TLS verification? |
Hi @dorukozturk, thank you for the fast response. I also tried the --insecure-skip-tls-verify flag, which didn't help. |
Thank you. Ok I will try to reproduce your issue on my end will fix it soon. |
I did some research: Seems like Kubernetes Python API does not respect the proxy environment vars such as: But in the configuration there is a proxy attribute we can set. I will try to create a proxy for an EKS cluster and see if that fix helps. I will keep you posted |
Hi @elibogomolnyi just to give you an update: Kubernetes python api does not work with neither the HTTP_PROXY environment variable nor with the proxy section in the kubeconfig file unfortunately. There are couple of PRs open. kubernetes-client/python#1862 Ideally I would like to avoid doing a hack on the hardeneks side but I might have to. I asked for an update on those issues. Let's see what the maintainers say. Is there a way that you can run hardeneks from a jumpbox or a bastion host while these issues are worked on? |
We are trying to use hardeneks for hardening our cluster. We connect to the cluster by the ssh tunnel through the bastion machine. Here is how we connect to our cluster.
Connecting to the AWS account admin user by sso
Creating an SSH tunnel and connection to the cluster
After it, we can run all the kubectl-related commands and fully manage resources in our cluster.
But when we go with hardeneks, it first gets stuck here.
And then it fails with this error (the host was changed intensionally to hide the real DNS):
How can I configure the hardeneks to make requests through the SSH tunnel? I think that it is a typical issue since most clusters are not publicly exposed.
The text was updated successfully, but these errors were encountered: