Merge pull request #1436 from howard-junec/automated-cherry-pick-of-#1374-upstream-release-1.35

k8s-ci-robot · web-flow · commit 3899cc40c932 · 2026-05-11T02:29:46.000+05:30
Automated cherry pick of #1374: fix: Add explicit HTTP request timeouts to all AWS SDK
diff --git a/cmd/ecr-credential-provider/main.go b/cmd/ecr-credential-provider/main.go
@@ -29,6 +29,7 @@ import (
 	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
+	awshttp "github.com/aws/aws-sdk-go-v2/aws/transport/http"
 	"github.com/aws/aws-sdk-go-v2/config"
 	"github.com/aws/aws-sdk-go-v2/service/ecr"
 	"github.com/aws/aws-sdk-go-v2/service/ecrpublic"
@@ -43,6 +44,8 @@ import (
 
 const ecrPublicRegion string = "us-east-1"
 
+var defaultHTTPClient = awshttp.NewBuildableClient().WithTimeout(30 * time.Second)
+
 var ecrPublicHosts []string = []string{"public.ecr.aws", "ecr-public.aws.com"}
 
 var ecrPrivateHostPattern = regexp.MustCompile(`^(\d{12})\.dkr[\.\-]ecr(\-fips)?\.([a-zA-Z0-9][a-zA-Z0-9-_]*)\.(amazonaws\.(?:com(?:\.cn)?|eu)|on\.(?:aws|amazonwebservices\.com\.cn)|sc2s\.sgov\.gov|c2s\.ic\.gov|cloud\.adc-e\.uk|csp\.hci\.ic\.gov)$`)
@@ -74,10 +77,13 @@ func defaultECRProvider(ctx context.Context, region string) (ECR, error) {
 	if region != "" {
 		cfg, err = config.LoadDefaultConfig(ctx,
 			config.WithRegion(region),
+			config.WithHTTPClient(defaultHTTPClient),
 		)
 	} else {
 		klog.Warningf("No region found in the image reference, the default region will be used. Please refer to AWS SDK documentation for configuration purpose.")
-		cfg, err = config.LoadDefaultConfig(ctx)
+		cfg, err = config.LoadDefaultConfig(ctx,
+			config.WithHTTPClient(defaultHTTPClient),
+		)
 	}
 
 	if err != nil {
@@ -92,6 +98,7 @@ func publicECRProvider(ctx context.Context) (ECRPublic, error) {
 	// in the "aws" partition.
 	cfg, err := config.LoadDefaultConfig(ctx,
 		config.WithRegion(ecrPublicRegion),
+		config.WithHTTPClient(defaultHTTPClient),
 	)
 	if err != nil {
 		return nil, err
@@ -106,10 +113,13 @@ func stsProvider(ctx context.Context, region string) (STS, error) {
 	if region != "" {
 		cfg, err = config.LoadDefaultConfig(ctx,
 			config.WithRegion(region),
+			config.WithHTTPClient(defaultHTTPClient),
 		)
 	} else {
 		klog.Warningf("No region found in the image reference, the default region will be used. Please refer to AWS SDK documentation for configuration purpose.")
-		cfg, err = config.LoadDefaultConfig(ctx)
+		cfg, err = config.LoadDefaultConfig(ctx,
+			config.WithHTTPClient(defaultHTTPClient),
+		)
 	}
 
 	if err != nil {
diff --git a/pkg/providers/v1/aws.go b/pkg/providers/v1/aws.go
@@ -41,6 +41,7 @@ import (
 	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
 	"github.com/aws/aws-sdk-go-v2/service/kms"
 	"github.com/aws/smithy-go"
+	smithymiddleware "github.com/aws/smithy-go/middleware"
 	"gopkg.in/gcfg.v1"
 
 	v1 "k8s.io/api/core/v1"
@@ -518,7 +519,11 @@ func init() {
 
 		var creds *stscreds.AssumeRoleProvider
 		if cfg.Global.RoleARN != "" {
-			stsClient, err := services.NewStsClient(ctx, regionName, cfg.Global.RoleARN, cfg.Global.SourceARN)
+			stsClient, err := services.NewStsClient(ctx, regionName, cfg.Global.RoleARN, cfg.Global.SourceARN,
+				func(stack *smithymiddleware.Stack) error {
+					return stack.Deserialize.Add(awsAPIMetricsMiddleware(), smithymiddleware.After)
+				},
+			)
 			if err != nil {
 				return nil, fmt.Errorf("unable to create sts v2 client: %v", err)
 			}
diff --git a/pkg/providers/v1/aws_api_metrics_test.go b/pkg/providers/v1/aws_api_metrics_test.go
@@ -0,0 +1,99 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/aws/smithy-go"
+	"github.com/aws/smithy-go/middleware"
+	smithyhttp "github.com/aws/smithy-go/transport/http"
+	"github.com/stretchr/testify/assert"
+	"k8s.io/component-base/metrics/testutil"
+)
+
+func TestAWSAPIMetricsMiddleware(t *testing.T) {
+	registerMetrics()
+
+	tests := []struct {
+		name             string
+		statusCode       int
+		err              error
+		expectStatusCode string
+	}{
+		{
+			name:             "4xx response records status code",
+			statusCode:       403,
+			expectStatusCode: "403",
+		},
+		{
+			name:             "5xx response records status code",
+			statusCode:       500,
+			expectStatusCode: "500",
+		},
+		{
+			name:       "2xx response does not record",
+			statusCode: 200,
+		},
+		{
+			name:             "4xx with API error records status code",
+			statusCode:       400,
+			err:              &smithy.GenericAPIError{Code: "ThrottlingException", Message: "rate exceeded"},
+			expectStatusCode: "400",
+		},
+		{
+			name:             "5xx with non-API error records status code",
+			statusCode:       500,
+			err:              fmt.Errorf("connection reset"),
+			expectStatusCode: "500",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			awsAPIResponseStatusTotal.Reset()
+
+			mw := awsAPIMetricsMiddleware()
+			handler := middleware.DeserializeHandlerFunc(
+				func(ctx context.Context, in middleware.DeserializeInput) (
+					middleware.DeserializeOutput, middleware.Metadata, error,
+				) {
+					return middleware.DeserializeOutput{
+						RawResponse: &smithyhttp.Response{
+							Response: &http.Response{StatusCode: tc.statusCode},
+						},
+					}, middleware.Metadata{}, tc.err
+				},
+			)
+
+			_, _, _ = mw.HandleDeserialize(context.Background(), middleware.DeserializeInput{}, handler)
+
+			if tc.expectStatusCode != "" {
+				val, err := testutil.GetCounterMetricValue(awsAPIResponseStatusTotal.With(map[string]string{
+					"service":     "",
+					"operation":   "",
+					"status_code": tc.expectStatusCode,
+				}))
+				assert.NoError(t, err)
+				assert.Equal(t, float64(1), val)
+			}
+		})
+	}
+}
diff --git a/pkg/providers/v1/aws_metrics.go b/pkg/providers/v1/aws_metrics.go
@@ -17,8 +17,12 @@ limitations under the License.
 package aws
 
 import (
+	"context"
+	"strconv"
 	"sync"
 
+	"github.com/aws/smithy-go/middleware"
+	smithyhttp "github.com/aws/smithy-go/transport/http"
 	"k8s.io/component-base/metrics"
 	"k8s.io/component-base/metrics/legacyregistry"
 )
@@ -47,6 +51,15 @@ var (
 			StabilityLevel: metrics.ALPHA,
 		},
 		[]string{"operation_name"})
+
+	// awsAPIResponseStatusTotal counts AWS API responses by status code.
+	awsAPIResponseStatusTotal = metrics.NewCounterVec(
+		&metrics.CounterOpts{
+			Name:           "cloudprovider_aws_api_response_status_total",
+			Help:           "AWS API response status code counts",
+			StabilityLevel: metrics.ALPHA,
+		},
+		[]string{"service", "operation", "status_code"})
 )
 
 func recordAWSMetric(actionName string, timeTaken float64, err error) {
@@ -68,5 +81,32 @@ func registerMetrics() {
 		legacyregistry.MustRegister(awsAPIMetric)
 		legacyregistry.MustRegister(awsAPIErrorMetric)
 		legacyregistry.MustRegister(awsAPIThrottlesMetric)
+		legacyregistry.MustRegister(awsAPIResponseStatusTotal)
 	})
 }
+
+// awsAPIMetricsMiddleware returns a Deserialize middleware that records
+// AWS API response status codes as metrics.
+func awsAPIMetricsMiddleware() middleware.DeserializeMiddleware {
+	return middleware.DeserializeMiddlewareFunc(
+		"k8s/aws-api-metrics",
+		func(ctx context.Context, in middleware.DeserializeInput, next middleware.DeserializeHandler) (
+			out middleware.DeserializeOutput, metadata middleware.Metadata, err error,
+		) {
+			out, metadata, err = next.HandleDeserialize(ctx, in)
+
+			service := middleware.GetServiceID(ctx)
+			operation := middleware.GetOperationName(ctx)
+
+			if response, ok := out.RawResponse.(*smithyhttp.Response); ok && response.StatusCode >= 400 {
+				awsAPIResponseStatusTotal.With(metrics.Labels{
+					"service":     service,
+					"operation":   operation,
+					"status_code": strconv.Itoa(response.StatusCode),
+				}).Inc()
+			}
+
+			return out, metadata, err
+		},
+	)
+}
diff --git a/pkg/providers/v1/aws_sdk.go b/pkg/providers/v1/aws_sdk.go
@@ -20,10 +20,12 @@ import (
 	"context"
 	"fmt"
 	"sync"
+	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/aws/middleware"
 	"github.com/aws/aws-sdk-go-v2/aws/retry"
+	awshttp "github.com/aws/aws-sdk-go-v2/aws/transport/http"
 	awsConfig "github.com/aws/aws-sdk-go-v2/config"
 	stscredsv2 "github.com/aws/aws-sdk-go-v2/credentials/stscreds"
 	"github.com/aws/aws-sdk-go-v2/feature/ec2/imds"
@@ -40,6 +42,12 @@ import (
 	"k8s.io/klog/v2"
 )
 
+// defaultHTTPClient is shared across all AWS SDK clients to enforce an explicit
+// HTTP request timeout and reuse connection pools. Without a timeout, a single
+// slow response can trigger the Go SDK's clock skew overcorrection and break all
+// subsequent API calls.
+var defaultHTTPClient = awshttp.NewBuildableClient().WithTimeout(30 * time.Second)
+
 type awsSDKProvider struct {
 	creds aws.CredentialsProvider
 	cfg   awsCloudConfigProvider
@@ -77,6 +85,13 @@ func (p *awsSDKProvider) AddMiddleware(ctx context.Context, regionName string, c
 	}
 
 	p.addAPILoggingMiddleware(cfg)
+
+	// Record AWS API response status codes and error codes as metrics.
+	cfg.APIOptions = append(cfg.APIOptions,
+		func(stack *smithymiddleware.Stack) error {
+			return stack.Deserialize.Add(awsAPIMetricsMiddleware(), smithymiddleware.After)
+		},
+	)
 }
 
 // Adds logging middleware for AWS SDK Go V2 clients
@@ -114,6 +129,7 @@ func (p *awsSDKProvider) getCrossRequestRetryDelay(regionName string) *CrossRequ
 func (p *awsSDKProvider) Compute(ctx context.Context, regionName string, assumeRoleProvider *stscredsv2.AssumeRoleProvider) (iface.EC2, error) {
 	cfg, err := awsConfig.LoadDefaultConfig(ctx, awsConfig.WithDefaultsMode(aws.DefaultsModeInRegion),
 		awsConfig.WithRegion(regionName),
+		awsConfig.WithHTTPClient(defaultHTTPClient),
 	)
 	if assumeRoleProvider != nil {
 		cfg.Credentials = aws.NewCredentialsCache(assumeRoleProvider)
@@ -142,6 +158,7 @@ func (p *awsSDKProvider) Compute(ctx context.Context, regionName string, assumeR
 func (p *awsSDKProvider) LoadBalancing(ctx context.Context, regionName string, assumeRoleProvider *stscredsv2.AssumeRoleProvider) (ELB, error) {
 	cfg, err := awsConfig.LoadDefaultConfig(ctx, awsConfig.WithDefaultsMode(aws.DefaultsModeInRegion),
 		awsConfig.WithRegion(regionName),
+		awsConfig.WithHTTPClient(defaultHTTPClient),
 	)
 	if assumeRoleProvider != nil {
 		cfg.Credentials = aws.NewCredentialsCache(assumeRoleProvider)
@@ -167,6 +184,7 @@ func (p *awsSDKProvider) LoadBalancing(ctx context.Context, regionName string, a
 func (p *awsSDKProvider) LoadBalancingV2(ctx context.Context, regionName string, assumeRoleProvider *stscredsv2.AssumeRoleProvider) (ELBV2, error) {
 	cfg, err := awsConfig.LoadDefaultConfig(ctx, awsConfig.WithDefaultsMode(aws.DefaultsModeInRegion),
 		awsConfig.WithRegion(regionName),
+		awsConfig.WithHTTPClient(defaultHTTPClient),
 	)
 	if assumeRoleProvider != nil {
 		cfg.Credentials = aws.NewCredentialsCache(assumeRoleProvider)
@@ -190,7 +208,9 @@ func (p *awsSDKProvider) LoadBalancingV2(ctx context.Context, regionName string,
 }
 
 func (p *awsSDKProvider) Metadata(ctx context.Context) (config.EC2Metadata, error) {
-	cfg, err := awsConfig.LoadDefaultConfig(context.TODO(), awsConfig.WithDefaultsMode(aws.DefaultsModeInRegion))
+	cfg, err := awsConfig.LoadDefaultConfig(context.TODO(), awsConfig.WithDefaultsMode(aws.DefaultsModeInRegion),
+		awsConfig.WithHTTPClient(defaultHTTPClient),
+	)
 	if err != nil {
 		return nil, fmt.Errorf("unable to initialize AWS config: %v", err)
 	}
@@ -226,6 +246,7 @@ func (p *awsSDKProvider) Metadata(ctx context.Context) (config.EC2Metadata, erro
 func (p *awsSDKProvider) KeyManagement(ctx context.Context, regionName string, assumeRoleProvider *stscredsv2.AssumeRoleProvider) (KMS, error) {
 	cfg, err := awsConfig.LoadDefaultConfig(ctx, awsConfig.WithDefaultsMode(aws.DefaultsModeInRegion),
 		awsConfig.WithRegion(regionName),
+		awsConfig.WithHTTPClient(defaultHTTPClient),
 	)
 	if assumeRoleProvider != nil {
 		cfg.Credentials = aws.NewCredentialsCache(assumeRoleProvider)
diff --git a/pkg/providers/v1/aws_timeout_test.go b/pkg/providers/v1/aws_timeout_test.go
diff --git a/pkg/services/aws_sts.go b/pkg/services/aws_sts.go
