Add verification to apiserver redirect following #66516
Conversation
k8s-ci-robot
added
release-note-none
|
/sig api-machinery |
k8s-ci-robot
added
the
sig/api-machinery
| @@ -343,7 +343,7 @@ func ConnectWithRedirects(originalMethod string, originalLocation *url.URL, head | |||
|
|
|||
| redirectLoop: | |||
| for redirects := 0; ; redirects++ { | |||
| if redirects > maxRedirects { | |||
| if redirects >= maxRedirects { | |||
There was a problem hiding this comment.
first request isn't a redirect, so I think > is correct... maxRedirects=1 would let you go through the loop twice
There was a problem hiding this comment.
It should fail on the 10th redirect, not allow 10 redirects, at least to be consistent with http.Client. I changed this because the test caught this inconsistency.
There was a problem hiding this comment.
I would expect maxRedirects=10 to allow 10 and fail on 11. I don't think it really matters in practice either way as long as we don't set maxRedirects to 1
There was a problem hiding this comment.
I'd like to keep this consistent with the default http redirect checker, so I reverted the logic but changed maxRedirects to 9. (Also fixed the spdy test with the new max)
| @@ -404,6 +404,11 @@ redirectLoop: | |||
| if err != nil { | |||
| return nil, nil, fmt.Errorf("malformed Location header: %v", err) | |||
| } | |||
|
|
|||
| // Only allow redirects to the same host. | |||
| if location.Host != originalLocation.Host { | |||
There was a problem hiding this comment.
I considered that, but I think at least http -> https should be allowed. And if an attacker controls the endpoint enough to send an https redirect response, then they don't gain anything from a downgrade attack.
| } | ||
| // Only allow redirects to the same host. | ||
| newHost := req.URL.Host | ||
| originalHost := via[0].URL.Host |
There was a problem hiding this comment.
is len(via) always greater than 0?
There was a problem hiding this comment.
Yes, a redirect always has an original request. See https://github.com/golang/go/blob/214f7ec554888042a7a54fdca9cba19aee8ebaf1/src/net/http/client.go#L551-L581
|
@mrunalp - For CRI-o This will break setups where the apiserver sends the initial request on one IP address to the node, and the CRI streaming response sends a redirect to a different interface (e.g. internal vs. external address). This isn't an issue with dockershim, because it always uses a relative redirect. Unfortunately that doesn't appear to be the case with CRI-o (not sure about contianerd). How is CRI-o and contianerd streaming typically configured? |
|
@kubernetes/sig-node-pr-reviews |
k8s-ci-robot
added
the
sig/node
Or external DNS name vs external IP, etc |
|
OK, updated this PR with a few changes:
@liggitt PTAL |
| // | ||
| // StreamingProxyRedirects controls whether the apiserver should intercept (and follow) | ||
| // redirects from the backend (Kubelet) for streaming requests (exec/attach/port-forward). | ||
| StreamingProxyRedirects utilfeature.Feature = "StreamingProxyRedirects" | ||
|
|
||
| // owner: @tallclair | ||
| // alpha: v1.9 |
There was a problem hiding this comment.
BTW - I put 1.9 here because I think we should cherrypick this back to 1.9
|
/lgtm I would suggest a comment on why log never can redirect around here: https://github.com/kubernetes/kubernetes/pull/66516/files#diff-02939fae98eaa89403de3ea191772176R89 |
k8s-ci-robot
added
lgtm
|
|
/cc @roycaihw |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
| Location: loc, | ||
| } | ||
| _, _, _, err = streamer.InputStream("", "") | ||
| assert.Equal(t, http.ErrUseLastResponse, err, "Expected error from redirect") |
There was a problem hiding this comment.
If CheckRedirect returns ErrUseLastResponse, then the most recent response is returned with its body unclosed, along with a nil error: https://github.com/golang/go/blob/214f7ec554888042a7a54fdca9cba19aee8ebaf1/src/net/http/client.go#L583-L588
There was a problem hiding this comment.
Oops, thanks. On closer inspection, forwarding the redirect doesn't make sense here since only the request body is returned. I reverted the change back to outright rejecting redirects.
|
Finally got back around to this. PTAL. |
k8s-ci-robot
removed
the
needs-rebase
|
/lgtm |
k8s-ci-robot
added
the
lgtm
k8s-ci-robot
removed
the
lgtm
|
Fixed breakage caused by rebase & squashed commits. |
|
/lgtm (very brief scroll through because of amount of review so far) |
k8s-ci-robot
added
the
lgtm
|
|
||
| // Only follow redirects to the same host. Otherwise, propogate the redirect response back. | ||
| if validateRedirects && location.Hostname() != originalLocation.Hostname() { | ||
| break redirectLoop |
There was a problem hiding this comment.
Shouldn't you be returning an error?
There was a problem hiding this comment.
No, this returns the redirect response back to the client. See the discussion on this comment thread: #66516 (comment)
There was a problem hiding this comment.
Do you think code calling this function is prepared to get a redirection response?
There was a problem hiding this comment.
(not to argue with @liggitt's comment-like in that thread, but... given what you told me in person I think it's probably right to go ahead and return the error, and just explicitly say that hostname to IP redirections (or vice versa) are not supported even if they happen to refer to the same thing.)
There was a problem hiding this comment.
If the CRI returned a different internal host address, then returning that to the client would be meaningless, and an error response would make more sense. However, if the pod returns a redirect to an external service (trivial example: a pod that just returns a redirect response to a different external web address), then the expected behavior would be that the client can follow that redirect.
Do you think code calling this function is prepared to get a redirection response?
Looking at all the call sites, yes - it shouldn't be a problem. Also, this method only handles 302 redirects, so all other redirects were already being returned to the client.
staging/src/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go
Outdated
Show resolved
Hide resolved
k8s-ci-robot
removed
the
lgtm
staging/src/k8s.io/apimachinery/pkg/util/httpstream/spdy/roundtripper.go
Outdated
Show resolved
Hide resolved
|
|
||
| // Only follow redirects to the same host. Otherwise, propogate the redirect response back. | ||
| if validateRedirects && location.Hostname() != originalLocation.Hostname() { | ||
| break redirectLoop |
There was a problem hiding this comment.
No, this returns the redirect response back to the client. See the discussion on this comment thread: #66516 (comment)
|
please squash, thanks! |
|
Squashed. Thanks! |
| @@ -28,6 +28,8 @@ import ( | |||
| "reflect" | |||
| "testing" | |||
|
|
|||
| "github.com/stretchr/testify/assert" | |||
| "github.com/stretchr/testify/require" | |||
There was a problem hiding this comment.
not going to ask for another change at this point but technically 3rd party deps get their own section...
|
/approve |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjcullen, lavalamp, philips, rphillips, tallclair The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest Review the full test history for this PR. Silence the bot with an |
…516-upstream-release-1.12-1539730092 Automated cherry-pick of #66516 to v1.12
What this PR does / why we need it:
Only allow the apiserver to follow redirects to the same host.
Release note: