Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⚠️ Use limited reader in webhooks #2598

Merged
merged 5 commits into from
Jan 8, 2024
Merged

⚠️ Use limited reader in webhooks #2598

merged 5 commits into from
Jan 8, 2024

Conversation

inteon
Copy link
Member

@inteon inteon commented Nov 28, 2023
edited
Loading

This PR adds a LimitedReader which prevents DOS attacks due to OOM caused by the io.ReadAll function.

Depends on #2604.

Code is based on https://github.com/kubernetes/kubernetes/blob/c28c2009181fcc44c5f6b47e10e62dacf53e4da0/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/server.go

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 28, 2023
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Nov 28, 2023
@inteon inteon mentioned this pull request Nov 28, 2023
Merged
@alvaroaleman
Copy link
Member

@inteon would you mind splitting this up in one PR per change, so discussions can stay targeted and the changelog will have a more meaningful entry than "Improve Webhook"?

@inteon inteon changed the title 🐛 Improve webhooks (crash handling, limited reader, ...) 🐛 Use limited reader in webhooks Dec 3, 2023
@inteon
Copy link
Member Author

inteon commented Dec 3, 2023

@inteon would you mind splitting this up in one PR per change, so discussions can stay targeted and the changelog will have a more meaningful entry than "Improve Webhook"?

Ok, this PR now focuses on adding limited reader.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Dec 3, 2023
@inteon inteon force-pushed the improve_webhooks branch 2 times, most recently from b96f9fa to 9dcfc53 Compare December 12, 2023 14:21
sbueringer
sbueringer reviewed Dec 18, 2023
View reviewed changes
pkg/webhook/admission/http.go Outdated Show resolved Hide resolved
pkg/webhook/admission/http.go Show resolved Hide resolved
pkg/webhook/authentication/http.go Outdated Show resolved Hide resolved
@sbueringer
Copy link
Member

/retest

@sbueringer sbueringer added this to the v0.17.x milestone Jan 3, 2024
@sbueringer
Copy link
Member

@inteon PTAL when you have some time :)

@inteon
add missing limitedReader
90ea1c1 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@inteon
update maxRequestSize and explain values in comment
5ed1ff8 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@inteon
use more specific http error code
de53931 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@inteon
add extra comments and update value for maxRequestSize
930ab18 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@inteon
Copy link
Member Author

inteon commented Jan 6, 2024

@sbueringer I updated the limits and comments based on the review feedback.
Please let me know in case I missed something.

@sbueringer sbueringer added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Jan 8, 2024
@sbueringer
Copy link
Member

Thx!

/lgtm

/assign @alvaroaleman @vincepri

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 8, 2024
alvaroaleman
alvaroaleman reviewed Jan 8, 2024
View reviewed changes
Copy link
Member

@alvaroaleman alvaroaleman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets also mark this change as breaking, please, as there is a non-zero change it might cause issues in the context of the token reviews for example

pkg/webhook/admission/http.go Outdated Show resolved Hide resolved
pkg/webhook/authentication/http.go Outdated Show resolved Hide resolved
@inteon
use const instead of var
78b8b06 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 8, 2024
@inteon inteon changed the title 🐛 Use limited reader in webhooks ⚠️ Use limited reader in webhooks Jan 8, 2024
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 8, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alvaroaleman, inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 8, 2024
@k8s-ci-robot k8s-ci-robot merged commit 69e14f1 into kubernetes-sigs:main Jan 8, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sbueringer sbueringer sbueringer left review comments

@alvaroaleman alvaroaleman alvaroaleman approved these changes

@joelanford joelanford Awaiting requested review from joelanford

@vincepri vincepri Awaiting requested review from vincepri

Assignees

@vincepri vincepri

@sbueringer sbueringer

@alvaroaleman alvaroaleman

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
v0.17.x
Development

Successfully merging this pull request may close these issues.
5 participants
@inteon @alvaroaleman @sbueringer @k8s-ci-robot @vincepri