Make "attach" and "exec" rejection in proxy more explicit

The more explicit regular expression for rejection makes a possibility of accessing pods (or any other resources) which contain "attach" or "exec" in their names via proxy API. It was not possible before. Also, the reference for "run" resource was removed, because it doesn't exist in any of k8s APIs currently. Fixes: #21464
kubernetes · Jul 19, 2016 · 3ed9768 · 3ed9768
1 parent 63bb281
commit 3ed9768
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 5 deletions.
diff --git a/pkg/kubectl/proxy_server.go b/pkg/kubectl/proxy_server.go
@@ -35,7 +35,7 @@ import (
 const (
 	DefaultHostAcceptRE   = "^localhost$,^127\\.0\\.0\\.1$,^\\[::1\\]$"
 	DefaultPathAcceptRE   = "^/.*"
-	DefaultPathRejectRE   = "^/api/.*/exec,^/api/.*/run,^/api/.*/attach"
+	DefaultPathRejectRE   = "^/api/.*/pods/.*/exec,^/api/.*/pods/.*/attach"
 	DefaultMethodRejectRE = "POST,PUT,PATCH"
 )
 

diff --git a/pkg/kubectl/proxy_server_test.go b/pkg/kubectl/proxy_server_test.go
@@ -62,7 +62,34 @@ func TestAccept(t *testing.T) {
 			acceptPaths:  DefaultPathAcceptRE,
 			rejectPaths:  DefaultPathRejectRE,
 			acceptHosts:  DefaultHostAcceptRE,
-			path:         "/api/v1/pods/foo/exec",
+			path:         "/api/v1/namespaces/default/pods/foo",
+			host:         "localhost",
+			method:       "GET",
+			expectAccept: true,
+		},
+		{
+			acceptPaths:  DefaultPathAcceptRE,
+			rejectPaths:  DefaultPathRejectRE,
+			acceptHosts:  DefaultHostAcceptRE,
+			path:         "/api/v1/namespaces/default/pods/attachfoo",
+			host:         "localhost",
+			method:       "GET",
+			expectAccept: true,
+		},
+		{
+			acceptPaths:  DefaultPathAcceptRE,
+			rejectPaths:  DefaultPathRejectRE,
+			acceptHosts:  DefaultHostAcceptRE,
+			path:         "/api/v1/namespaces/default/pods/execfoo",
+			host:         "localhost",
+			method:       "GET",
+			expectAccept: true,
+		},
+		{
+			acceptPaths:  DefaultPathAcceptRE,
+			rejectPaths:  DefaultPathRejectRE,
+			acceptHosts:  DefaultHostAcceptRE,
+			path:         "/api/v1/namespaces/default/pods/foo/exec",
 			host:         "127.0.0.1",
 			method:       "GET",
 			expectAccept: false,
@@ -71,7 +98,7 @@ func TestAccept(t *testing.T) {
 			acceptPaths:  DefaultPathAcceptRE,
 			rejectPaths:  DefaultPathRejectRE,
 			acceptHosts:  DefaultHostAcceptRE,
-			path:         "/api/v1/pods/foo/attach",
+			path:         "/api/v1/namespaces/default/pods/foo/attach",
 			host:         "127.0.0.1",
 			method:       "GET",
 			expectAccept: false,
@@ -125,7 +152,7 @@ func TestAccept(t *testing.T) {
 			acceptPaths:  DefaultPathAcceptRE,
 			rejectPaths:  DefaultPathRejectRE,
 			acceptHosts:  DefaultHostAcceptRE,
-			path:         "/api/v1/pods/somepod",
+			path:         "/api/v1/namespaces/default/pods/somepod",
 			host:         "localhost",
 			method:       "PUT",
 			expectAccept: false,
@@ -134,7 +161,7 @@ func TestAccept(t *testing.T) {
 			acceptPaths:  DefaultPathAcceptRE,
 			rejectPaths:  DefaultPathRejectRE,
 			acceptHosts:  DefaultHostAcceptRE,
-			path:         "/api/v1/pods/somepod",
+			path:         "/api/v1/namespaces/default/pods/somepod",
 			host:         "localhost",
 			method:       "PATCH",
 			expectAccept: false,