Migrate kubectl exec to WebSockets from SPDY

[andyvandy]

( clone of PR loft-sh#1980 )

I've added websocket support since I want to setup a capsule kube api proxy which was dropping connections due to lack of SPDY support.

Per KEP-4006, I prioritize trying WebSockets first given Websockets have been the default for 4 versions now and will be the standard going forward. I used NewFallbackExecutor as suggested in the KEP to avoid breaking existing use cases.

This follows the implementation used by kubectl: https://github.com/kubernetes/kubectl/blob/8144b746a47f142759a073a46f581de92b1886aa/pkg/cmd/exec/exec.go#L146-L166

I've built this locally and have been using it successfully for myself and a few others. Disclosure: this fix was found with the assistance of claude/copilot.

Summary by CodeRabbit

• Bug Fixes
  • Improved remote command reliability for Kubernetes by preferring a WebSocket-based connection method and retaining the legacy transport only as a fallback when the WebSocket upgrade cannot be established. This reduces unnecessary fallbacks and yields more stable, compatible remote command sessions across varied cluster, proxy, and network environments.

[coderabbitai]

Warning

Review limit reached

@andyvandy, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 21 minutes and 45 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 418e73a5-7808-43e9-866d-f03ef7c8adb6

📥 Commits

Reviewing files that changed from the base of the PR and between 4cc2852 and 85fdd84.

📒 Files selected for processing (1)

• pkg/driver/kubernetes/client.go

📝 Walkthrough

Walkthrough

Client.Exec now attempts a WebSocket-based Kubernetes exec first, constructs an SPDY executor in parallel, and wraps both with remotecommand.NewFallbackExecutor that falls back when httpstream.IsUpgradeFailure reports an upgrade failure.

Changes

Kubernetes WebSocket Executor Fallback

Layer / File(s)	Summary
WebSocket-first exec with SPDY fallback pkg/driver/kubernetes/client.go	Adds the httpstream import and changes Client.Exec to build a WebSocket executor as primary and an SPDY executor as fallback, wrapped by remotecommand.NewFallbackExecutor and using httpstream.IsUpgradeFailure to trigger the fallback.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: migrating kubectl exec from SPDY to WebSockets, which directly matches the primary purpose of adding WebSocket support as described in the PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/driver/kubernetes/client.go`:
- Line 128: The fallback predicate passed to remotecommand.NewFallbackExecutor
currently only uses httpstream.IsUpgradeFailure; update the call in the
remotecommand.NewFallbackExecutor invocation (the websocketExec, spdyExec
creation site) to use a combined predicate that checks both
httpstream.IsUpgradeFailure and httpstream.IsHTTPSProxyError (i.e., call
NewFallbackExecutor with a predicate that returns true if either
IsUpgradeFailure or IsHTTPSProxyError matches) so HTTPS-proxy dial failures will
trigger the SPDY fallback just like kubectl.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 635de3ff-cde9-4e2d-a7ba-7614d78d4fa7

📥 Commits

Reviewing files that changed from the base of the PR and between 95d2230 and 4add125.

📒 Files selected for processing (1)

• pkg/driver/kubernetes/client.go

[skevetter]

Happy to get this merged in once the failing jobs are fixed.

[andyvandy]

Happy to get this merged in once the failing jobs are fixed.

signed the commit to address the failure.

Not a huge deal but fyi the 1password check which is meant to comment with instructions was failing with a 403 error "message": "Resource not accessible by integration"

[skevetter]

Happy to get this merged in once the failing jobs are fixed.

signed the commit to address the failure.

Not a huge deal but fyi the 1password check which is meant to comment with instructions was failing with a 403 error "message": "Resource not accessible by integration"

That job can be flaky sometimes; It should be working now.