fix authorization header stripped by kube-apiserver (#2145)

2020-06-02 11:59:46 +08:00
parent a86f2a10c8
commit 68029de64c
3 changed files with 25 additions and 1 deletions
--- a/pkg/apiserver/filters/requestinfo.go
+++ b/pkg/apiserver/filters/requestinfo.go
@@ -32,6 +32,19 @@ func WithRequestInfo(handler http.Handler, resolver request.RequestInfoResolver)
 			return
 		}

+		// KubeSphere supports kube-apiserver proxy requests in multicluster mode. But kube-apiserver
+		// stripped all authorization headers. Use custom header to carry token to avoid losing authentication token.
+		// We may need a better way. See issue below.
+		// https://github.com/kubernetes/kubernetes/issues/38775#issuecomment-277915961
+		authorization := req.Header.Get("Authorization")
+		if len(authorization) == 0 {
+			xAuthorization := req.Header.Get("X-KubeSphere-Authorization")
+			if len(xAuthorization) != 0 {
+				req.Header.Set("Authorization", xAuthorization)
+				req.Header.Del("X-KubeSphere-Authorization")
+			}
+		}
+
 		req = req.WithContext(request.WithRequestInfo(ctx, info))
 		handler.ServeHTTP(w, req)
 	})