Limit the read length of ioutil.ReadAll in pkg/kubelet and pkg/probe

Signed-off-by: Haiyan Meng <haiyanmeng@google.com>
2025-09-21 09:57:52 +00:00 · 2019-04-12 11:52:04 -07:00
parent 3e0fe89e3c
commit 1f270ef4e2
12 changed files with 35 additions and 10 deletions
--- a/pkg/kubelet/lifecycle/BUILD
+++ b/pkg/kubelet/lifecycle/BUILD
@@ -28,6 +28,7 @@ go_library(
        "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
        "//vendor/k8s.io/klog:go_default_library",
+        "//vendor/k8s.io/utils/io:go_default_library",
    ],
 )

--- a/pkg/kubelet/lifecycle/handlers.go
+++ b/pkg/kubelet/lifecycle/handlers.go
@@ -18,7 +18,6 @@ package lifecycle

 import (
 	"fmt"
-	"io/ioutil"
 	"net"
 	"net/http"
 	"strconv"
@@ -31,6 +30,11 @@ import (
 	kubetypes "k8s.io/kubernetes/pkg/kubelet/types"
 	"k8s.io/kubernetes/pkg/kubelet/util/format"
 	"k8s.io/kubernetes/pkg/security/apparmor"
+	utilio "k8s.io/utils/io"
+)
+
+const (
+	maxRespBodyLength = 10 * 1 << 10 // 10KB
 )

 type HandlerRunner struct {
@@ -133,7 +137,8 @@ func getHttpRespBody(resp *http.Response) string {
 		return ""
 	}
 	defer resp.Body.Close()
-	if bytes, err := ioutil.ReadAll(resp.Body); err == nil {
+	bytes, err := utilio.ReadAtMost(resp.Body, maxRespBodyLength)
+	if err == nil || err == utilio.ErrLimitReached {
 		return string(bytes)
 	}
 	return ""