Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
d512173c
Commit
d512173c
authored
Jan 24, 2019
by
Tim Allclair
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Apply caching limits to authorized requests too
parent
e23c15a0
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
14 additions
and
11 deletions
+14
-11
webhook.go
...k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
+11
-8
webhook_test.go
...o/apiserver/plugin/pkg/authorizer/webhook/webhook_test.go
+3
-3
No files found.
staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
View file @
d512173c
...
@@ -41,8 +41,8 @@ var (
...
@@ -41,8 +41,8 @@ var (
const
(
const
(
retryBackoff
=
500
*
time
.
Millisecond
retryBackoff
=
500
*
time
.
Millisecond
// The maximum
key length for unauthorized request keys to qualify for
caching.
// The maximum
length of requester-controlled attributes to allow
caching.
max
UnauthorizedCachedKey
Size
=
10000
max
ControlledAttrCache
Size
=
10000
)
)
// Ensure Webhook implements the authorizer.Authorizer interface.
// Ensure Webhook implements the authorizer.Authorizer interface.
...
@@ -197,10 +197,10 @@ func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (decision auth
...
@@ -197,10 +197,10 @@ func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (decision auth
return
w
.
decisionOnError
,
""
,
err
return
w
.
decisionOnError
,
""
,
err
}
}
r
.
Status
=
result
.
Status
r
.
Status
=
result
.
Status
if
r
.
Status
.
Allowed
{
if
shouldCache
(
attr
)
{
w
.
responseCache
.
Add
(
string
(
key
),
r
.
Status
,
w
.
authorizedTTL
)
if
r
.
Status
.
Allowed
{
}
else
{
w
.
responseCache
.
Add
(
string
(
key
),
r
.
Status
,
w
.
authorizedTTL
)
if
callerControlledAttributeSize
(
attr
)
<
maxUnauthorizedCachedKeySiz
e
{
}
els
e
{
w
.
responseCache
.
Add
(
string
(
key
),
r
.
Status
,
w
.
unauthorizedTTL
)
w
.
responseCache
.
Add
(
string
(
key
),
r
.
Status
,
w
.
unauthorizedTTL
)
}
}
}
}
...
@@ -269,8 +269,10 @@ func (t *subjectAccessReviewClient) Create(subjectAccessReview *authorization.Su
...
@@ -269,8 +269,10 @@ func (t *subjectAccessReviewClient) Create(subjectAccessReview *authorization.Su
return
result
,
err
return
result
,
err
}
}
func
callerControlledAttributeSize
(
attr
authorizer
.
Attributes
)
int64
{
// shouldCache determines whether it is safe to cache the given request attributes. If the
return
int64
(
len
(
attr
.
GetNamespace
()))
+
// requester-controlled attributes are too large, this may be a DoS attempt, so we skip the cache.
func
shouldCache
(
attr
authorizer
.
Attributes
)
bool
{
controlledAttrSize
:=
int64
(
len
(
attr
.
GetNamespace
()))
+
int64
(
len
(
attr
.
GetVerb
()))
+
int64
(
len
(
attr
.
GetVerb
()))
+
int64
(
len
(
attr
.
GetAPIGroup
()))
+
int64
(
len
(
attr
.
GetAPIGroup
()))
+
int64
(
len
(
attr
.
GetAPIVersion
()))
+
int64
(
len
(
attr
.
GetAPIVersion
()))
+
...
@@ -278,4 +280,5 @@ func callerControlledAttributeSize(attr authorizer.Attributes) int64 {
...
@@ -278,4 +280,5 @@ func callerControlledAttributeSize(attr authorizer.Attributes) int64 {
int64
(
len
(
attr
.
GetSubresource
()))
+
int64
(
len
(
attr
.
GetSubresource
()))
+
int64
(
len
(
attr
.
GetName
()))
+
int64
(
len
(
attr
.
GetName
()))
+
int64
(
len
(
attr
.
GetPath
()))
int64
(
len
(
attr
.
GetPath
()))
return
controlledAttrSize
<
maxControlledAttrCacheSize
}
}
staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook_test.go
View file @
d512173c
...
@@ -616,10 +616,10 @@ func TestWebhookCache(t *testing.T) {
...
@@ -616,10 +616,10 @@ func TestWebhookCache(t *testing.T) {
{
name
:
"ridiculous unauthorized request"
,
attr
:
bobRidiculousAttr
,
allow
:
false
,
statusCode
:
200
,
expectedErr
:
false
,
expectedAuthorized
:
false
,
expectedCalls
:
1
},
{
name
:
"ridiculous unauthorized request"
,
attr
:
bobRidiculousAttr
,
allow
:
false
,
statusCode
:
200
,
expectedErr
:
false
,
expectedAuthorized
:
false
,
expectedCalls
:
1
},
// later ridiculous requests within the cache window still hit the backend
// later ridiculous requests within the cache window still hit the backend
{
name
:
"ridiculous unauthorized request again"
,
attr
:
bobRidiculousAttr
,
allow
:
false
,
statusCode
:
200
,
expectedErr
:
false
,
expectedAuthorized
:
false
,
expectedCalls
:
1
},
{
name
:
"ridiculous unauthorized request again"
,
attr
:
bobRidiculousAttr
,
allow
:
false
,
statusCode
:
200
,
expectedErr
:
false
,
expectedAuthorized
:
false
,
expectedCalls
:
1
},
// ridiculous authorized requests are
still
cached.
// ridiculous authorized requests are
not
cached.
{
name
:
"ridiculous authorized request"
,
attr
:
aliceRidiculousAttr
,
allow
:
true
,
statusCode
:
200
,
expectedErr
:
false
,
expectedAuthorized
:
true
,
expectedCalls
:
1
},
{
name
:
"ridiculous authorized request"
,
attr
:
aliceRidiculousAttr
,
allow
:
true
,
statusCode
:
200
,
expectedErr
:
false
,
expectedAuthorized
:
true
,
expectedCalls
:
1
},
// later ridiculous requests within the cache window
don't
hit the backend
// later ridiculous requests within the cache window
still
hit the backend
{
name
:
"ridiculous authorized request again"
,
attr
:
aliceRidiculousAttr
,
allow
:
false
,
statusCode
:
500
,
expectedErr
:
false
,
expectedAuthorized
:
true
,
expectedCalls
:
0
},
{
name
:
"ridiculous authorized request again"
,
attr
:
aliceRidiculousAttr
,
allow
:
true
,
statusCode
:
200
,
expectedErr
:
false
,
expectedAuthorized
:
true
,
expectedCalls
:
1
},
}
}
for
i
,
test
:=
range
tests
{
for
i
,
test
:=
range
tests
{
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment