Make "attach" and "exec" rejection in proxy more explicit #28765
Conversation
k8s-github-robot
added
size/M
| @@ -35,7 +35,7 @@ import ( | |||
| const ( | |||
| DefaultHostAcceptRE = "^localhost$,^127\\.0\\.0\\.1$,^\\[::1\\]$" | |||
| DefaultPathAcceptRE = "^/.*" | |||
| DefaultPathRejectRE = "^/api/.*/exec,^/api/.*/run,^/api/.*/attach" | |||
There was a problem hiding this comment.
What was /run originally meant to cover, and why don't we care about it now?
There was a problem hiding this comment.
It probably meant to cover the /run endpoint in kubelet. But I'm not sure, I'm new to kubernetes, I'm only a little bit familiar with its code since 1.2. 😒 The one thing is clear - there is no /run API endpoint in apiserver.
There was a problem hiding this comment.
What do you think of just tightening to:
^/api/./pods/./exec
^/api/./pods/./attach
I think this will address the issues without opening it up more than is needed.
The more explicit regular expression for rejection makes a possibility of accessing pods (or any other resources) which contain "attach" or "exec" in their names via proxy API. It was not possible before. Also, the reference for "run" resource was removed, because it doesn't exist in any of k8s APIs currently. Fixes: kubernetes#21464
|
GCE e2e build/test passed for commit 3ed9768. |
pwittrock
added
the
lgtm
k8s-github-robot
removed
the
lgtm
pwittrock
added
lgtm
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e build/test passed for commit 3ed9768. |
|
Automatic merge from submit-queue |
The more explicit regular expression for rejection makes a possibility of accessing pods (or any other resources) which contain "attach" or "exec" in their names via proxy API. It was not possible before.
Also, the reference for "run" resource was removed, because it doesn't exist in any of k8s APIs currently.
Fixes: #21464