Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
d512173c
Commit
d512173c
authored
Jan 24, 2019
by
Tim Allclair
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Apply caching limits to authorized requests too
parent
e23c15a0
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
14 additions
and
11 deletions
+14
-11
webhook.go
...k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
+11
-8
webhook_test.go
...o/apiserver/plugin/pkg/authorizer/webhook/webhook_test.go
+3
-3
No files found.
staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
View file @
d512173c
...
...
@@ -41,8 +41,8 @@ var (
const
(
retryBackoff
=
500
*
time
.
Millisecond
// The maximum
key length for unauthorized request keys to qualify for
caching.
max
UnauthorizedCachedKey
Size
=
10000
// The maximum
length of requester-controlled attributes to allow
caching.
max
ControlledAttrCache
Size
=
10000
)
// Ensure Webhook implements the authorizer.Authorizer interface.
...
...
@@ -197,10 +197,10 @@ func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (decision auth
return
w
.
decisionOnError
,
""
,
err
}
r
.
Status
=
result
.
Status
if
r
.
Status
.
Allowed
{
w
.
responseCache
.
Add
(
string
(
key
),
r
.
Status
,
w
.
authorizedTTL
)
}
else
{
if
callerControlledAttributeSize
(
attr
)
<
maxUnauthorizedCachedKeySiz
e
{
if
shouldCache
(
attr
)
{
if
r
.
Status
.
Allowed
{
w
.
responseCache
.
Add
(
string
(
key
),
r
.
Status
,
w
.
authorizedTTL
)
}
els
e
{
w
.
responseCache
.
Add
(
string
(
key
),
r
.
Status
,
w
.
unauthorizedTTL
)
}
}
...
...
@@ -269,8 +269,10 @@ func (t *subjectAccessReviewClient) Create(subjectAccessReview *authorization.Su
return
result
,
err
}
func
callerControlledAttributeSize
(
attr
authorizer
.
Attributes
)
int64
{
return
int64
(
len
(
attr
.
GetNamespace
()))
+
// shouldCache determines whether it is safe to cache the given request attributes. If the
// requester-controlled attributes are too large, this may be a DoS attempt, so we skip the cache.
func
shouldCache
(
attr
authorizer
.
Attributes
)
bool
{
controlledAttrSize
:=
int64
(
len
(
attr
.
GetNamespace
()))
+
int64
(
len
(
attr
.
GetVerb
()))
+
int64
(
len
(
attr
.
GetAPIGroup
()))
+
int64
(
len
(
attr
.
GetAPIVersion
()))
+
...
...
@@ -278,4 +280,5 @@ func callerControlledAttributeSize(attr authorizer.Attributes) int64 {
int64
(
len
(
attr
.
GetSubresource
()))
+
int64
(
len
(
attr
.
GetName
()))
+
int64
(
len
(
attr
.
GetPath
()))
return
controlledAttrSize
<
maxControlledAttrCacheSize
}
staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_test.go
View file @
d512173c
...
...
@@ -616,10 +616,10 @@ func TestWebhookCache(t *testing.T) {
{
name
:
"ridiculous unauthorized request"
,
attr
:
bobRidiculousAttr
,
allow
:
false
,
statusCode
:
200
,
expectedErr
:
false
,
expectedAuthorized
:
false
,
expectedCalls
:
1
},
// later ridiculous requests within the cache window still hit the backend
{
name
:
"ridiculous unauthorized request again"
,
attr
:
bobRidiculousAttr
,
allow
:
false
,
statusCode
:
200
,
expectedErr
:
false
,
expectedAuthorized
:
false
,
expectedCalls
:
1
},
// ridiculous authorized requests are
still
cached.
// ridiculous authorized requests are
not
cached.
{
name
:
"ridiculous authorized request"
,
attr
:
aliceRidiculousAttr
,
allow
:
true
,
statusCode
:
200
,
expectedErr
:
false
,
expectedAuthorized
:
true
,
expectedCalls
:
1
},
// later ridiculous requests within the cache window
don't
hit the backend
{
name
:
"ridiculous authorized request again"
,
attr
:
aliceRidiculousAttr
,
allow
:
false
,
statusCode
:
500
,
expectedErr
:
false
,
expectedAuthorized
:
true
,
expectedCalls
:
0
},
// later ridiculous requests within the cache window
still
hit the backend
{
name
:
"ridiculous authorized request again"
,
attr
:
aliceRidiculousAttr
,
allow
:
true
,
statusCode
:
200
,
expectedErr
:
false
,
expectedAuthorized
:
true
,
expectedCalls
:
1
},
}
for
i
,
test
:=
range
tests
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment