Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve the accessibility of k8s.io domains in China #325

Open
idealhack opened this issue Aug 1, 2019 · 33 comments
Open

Improve the accessibility of k8s.io domains in China #325

idealhack opened this issue Aug 1, 2019 · 33 comments
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/contributor-experience Categorizes an issue or PR as relevant to SIG Contributor Experience. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra.

Comments

@idealhack
Copy link
Member

This came up at Contributor Summit Shanghai in June, we then discussed it at the retro meeting and the sig-contribex APAC coordinator meeting.

Notes from the retro meeting:

While we use git.k8s.io and slack.k8s.io a lot across the community, they are not accessible in China. People need VPN to contribute anyway, but this confuses newcomers. Also, lots of VPN not worked in June. [idealhack]

k8s.io was an unexpected problem. [jberkus] You can't make it work even on some VPNs.

We were not able to sort the local VPN gateway issues for this event [jberkus]

So the important domains for contributors are git.k8s.io and slack.k8s.io, while others may important to users.

Can you help with this? There're IPs of Google Cloud not blocked, or maybe we could use CDN to improve the accessibility globally.

/sig contributor-experience
/priority important-longterm

cc @nikhita @jberkus

@k8s-ci-robot k8s-ci-robot added sig/contributor-experience Categorizes an issue or PR as relevant to SIG Contributor Experience. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. labels Aug 1, 2019
@nikhita
Copy link
Member

nikhita commented Aug 1, 2019

cc @cblecker @spiffxp @dims

@tao12345666333
Copy link
Member

Maybe a reference case: helm/helm#5663

@thockin
Copy link
Member

thockin commented Oct 23, 2019

Is the problem that IP blocks that exist in Google Cloud's customer space are blocked? Or is it that the things we redirect to are blocked?

@idealhack
Copy link
Member Author

Take git.k8s.io which redirects to github.com/kubernetes as an example, it's Google Cloud was blocked, not GitHub.

You can use https://www.17ce.com/site?lang=en_us to test what it's like when accessing a site in China.

@thockin
Copy link
Member

thockin commented Oct 24, 2019 via email

@idealhack
Copy link
Member Author

Hmm, sorry, I was thinking maybe the English option will help. The check is done by requesting (GET, ping, traceroute, etc.) a host from different places in China, and you can see a map with availability after it's done.

As said in the issue description, there're Google Cloud IPs not blocked, but I'm not quite sure about the details, the percentages may be different between regions. I understand this may be hard or annoying to find and change.

Run something somewhere else is a choice but it also means more work :(

@thockin
Copy link
Member

thockin commented Oct 25, 2019 via email

@idealhack
Copy link
Member Author

To be clear, what I meant was that not all Google Cloud IPs nor sites running on Google Cloud are blocked (e.g. one of services I maintain in Asia regions on GKE is not), but apparently git.k8s.io are one of which are blocked, also others like slack.k8s.io. This is somewhat common for public cloud providers.

I’m currently not in China but I guess the curl command will return timed out.

@tao12345666333
Copy link
Member

I will give the results later. Not at the computer right now.

@thockin
Copy link
Member

thockin commented Oct 25, 2019 via email

@tao12345666333
Copy link
Member

If you run curl -i git.k8s.io what do you get?

# in China
$ curl -i git.k8s.io
curl: (7) Failed connect to git.k8s.io:80; Connection timed out
# normal or expected result
(MoeLove) ➜  ~ curl -i git.k8s.io
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.10.3
Date: Fri, 25 Oct 2019 06:07:30 GMT
Content-Type: text/html
Content-Length: 161
Location: https://github.com/kubernetes/
Via: 1.1 google

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>

Some other information:

# in China
$ dig git.k8s.io 

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> git.k8s.io
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35295
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;git.k8s.io.                    IN      A

;; ANSWER SECTION:
git.k8s.io.             300     IN      CNAME   redirect.k8s.io.
redirect.k8s.io.        300     IN      A       35.201.71.162

;; Query time: 111 msec
;; SERVER: 223.5.5.5#53(223.5.5.5)
;; WHEN: 五 10月 25 14:11:24 CST 2019
;; MSG SIZE  rcvd: 67


$ ping -t 20 -c 1 git.k8s.io
PING redirect.k8s.io (35.201.71.162) 56(84) bytes of data.

--- redirect.k8s.io ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

@tao12345666333
Copy link
Member

Maybe you can visit this site to show the detail. http://ping.pe/git.k8s.io

@thockin
Copy link
Member

thockin commented Nov 1, 2019 via email

@tao12345666333
Copy link
Member

Thanks. We can try it;

In fact, according to our experience, sometimes IP bans rely on whitelist mode, and sometimes rely on blacklist mode. And there is no clear announcement rule. 🙃

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 30, 2020
@stp-ip
Copy link
Member

stp-ip commented Jan 30, 2020

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 30, 2020
@bartsmykla
Copy link
Contributor

Hi everyone. :-)

It looks like git.k8s.io is working (at least if I'm interpreting links you provided) now but slack.k8s.io is not. I'll try to read if there is any easy way we can help with this.

Do anyone have more knowledge than few months back about how we can improve it?

Bart

@bartsmykla
Copy link
Contributor

I see slack.k8s.io is still deployed on the old infrastructure and the good thing is the IP (34.107.204.206) which our redirector is using (which is hosted on the new infra) and which actually handles requests to git.k8s.io ant others is accessible.
I'm gonna try to make sure when we'll move slack.k8s.io to the new clusters the IP will be accessible in China too.

@bartsmykla
Copy link
Contributor

bartsmykla commented Mar 30, 2020

I did some research and checked all A records from https://github.com/kubernetes/k8s.io/blob/master/dns/zone-configs/k8s.io._0_base.yaml using website http://ping.pe and here are the results:

  • slack.k8s.io is not accessible at any of Chinese locations
  • gubernator.k8s.io is not accessible at China, Beijing | Tencent
  • testgrid.k8s.io is not accessible at China, Beijing | Tencent

During testing velodrome.k8s.io was not accessible anywhere so I'm not sure what is the status of it (cc. @spiffxp)

Question also is if for slack.k8s.io it's not related to the subdomain name not IP (it would be good to check).

Bart

@spiffxp
Copy link
Member

spiffxp commented Mar 31, 2020

velodrome.k8s.io is down for the foreseeable future (ref: kubernetes/test-infra#16836)

@bartsmykla
Copy link
Contributor

@spiffxp got it. Thank you for update

@idealhack
Copy link
Member Author

@bartsmykla Hi Bart, thanks for your research and update!

As far as I know, the block method of the Great Firewall is targeting on IPs in this case. It's just you're lucky or not to get an IP which not in the blocking rules (since a lot of Google's IPs are on the list). So hopefully this can be resolved when we moved all things from the old GCP project to the new one.

What do we do if it's still on the blocking list after we move other stuff to the new infra? I wonder if we have other methods to address this.

@bartsmykla
Copy link
Contributor

@idealhack the good thing is we can try to get other IP and if it won't work we can try use the fact the redirect.k8s.io IP is currently not blocked so I'm sure we can figure something out.

@thockin
Copy link
Member

thockin commented Mar 31, 2020 via email

@bartsmykla
Copy link
Contributor

bartsmykla commented Apr 27, 2020

@idealhack as we are already moving slack-infra to the new infrastructure and are at the point where we deployed everything under https://slack-staging.k8s.io. The IP of slack-staging.k8s.io (34.107.195.71) will be the IP address of slack.k8s.io/slack.kubernetes.io soon (when we'll confirm everything works as expected).

I did some testing using ping.pe (http://ping.pe/slack-staging.k8s.io) and it looks like the new IP address is not being blocked by the Great Firewall.

@bartsmykla
Copy link
Contributor

It looks like gubernator.k8s.io and testgrid.k8s.io are now unaccessible though.

@stp-ip
Copy link
Member

stp-ip commented Apr 27, 2020

We probably need to run a proxy server on non google IPs or better even within China. Happy to take a look, but not sure on timing.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 26, 2020
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 25, 2020
@idealhack
Copy link
Member Author

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Aug 25, 2020
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 23, 2020
@idealhack
Copy link
Member Author

/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 24, 2020
@k8s-ci-robot k8s-ci-robot added sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra. and removed wg/k8s-infra labels Sep 29, 2021
@linghengqian
Copy link

Hi, I was wondering if there is a solution for this other than forward proxying now? I noticed this issue hasn't been closed yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/contributor-experience Categorizes an issue or PR as relevant to SIG Contributor Experience. sig/k8s-infra Categorizes an issue or PR as relevant to SIG K8s Infra.
Projects
None yet
Development

No branches or pull requests

10 participants