Make "attach" and "exec" rejection in proxy more explicit

The more explicit regular expression for rejection makes a possibility of accessing pods (or any other resources) which contain "attach" or "exec" in their names via proxy API. It was not possible before. Also, the reference for "run" resource was removed, because it doesn't exist in any of k8s APIs currently. Fixes: #21464
2025-07-24 04:06:03 +00:00 · 2016-07-11 10:16:09 +02:00 · 2016-07-11 10:16:09 +02:00 · 3ed9768a51
commit 3ed9768a51
parent 63bb2810d2
2 changed files with 32 additions and 5 deletions
--- a/pkg/kubectl/proxy_server.go
+++ b/pkg/kubectl/proxy_server.go
@ -35,7 +35,7 @@ import (
 const (
 	DefaultHostAcceptRE   = "^localhost$,^127\\.0\\.0\\.1$,^\\[::1\\]$"
 	DefaultPathAcceptRE   = "^/.*"
-	DefaultPathRejectRE   = "^/api/.*/exec,^/api/.*/run,^/api/.*/attach"
+	DefaultPathRejectRE   = "^/api/.*/pods/.*/exec,^/api/.*/pods/.*/attach"
 	DefaultMethodRejectRE = "POST,PUT,PATCH"
 )

--- a/pkg/kubectl/proxy_server_test.go
+++ b/pkg/kubectl/proxy_server_test.go
@ -62,7 +62,34 @@ func TestAccept(t *testing.T) {
 			acceptPaths:  DefaultPathAcceptRE,
 			rejectPaths:  DefaultPathRejectRE,
 			acceptHosts:  DefaultHostAcceptRE,
-			path:         "/api/v1/pods/foo/exec",
+			path:         "/api/v1/namespaces/default/pods/foo",
+			host:         "localhost",
+			method:       "GET",
+			expectAccept: true,
+		},
+		{
+			acceptPaths:  DefaultPathAcceptRE,
+			rejectPaths:  DefaultPathRejectRE,
+			acceptHosts:  DefaultHostAcceptRE,
+			path:         "/api/v1/namespaces/default/pods/attachfoo",
+			host:         "localhost",
+			method:       "GET",
+			expectAccept: true,
+		},
+		{
+			acceptPaths:  DefaultPathAcceptRE,
+			rejectPaths:  DefaultPathRejectRE,
+			acceptHosts:  DefaultHostAcceptRE,
+			path:         "/api/v1/namespaces/default/pods/execfoo",
+			host:         "localhost",
+			method:       "GET",
+			expectAccept: true,
+		},
+		{
+			acceptPaths:  DefaultPathAcceptRE,
+			rejectPaths:  DefaultPathRejectRE,
+			acceptHosts:  DefaultHostAcceptRE,
+			path:         "/api/v1/namespaces/default/pods/foo/exec",
 			host:         "127.0.0.1",
 			method:       "GET",
 			expectAccept: false,
@ -71,7 +98,7 @@ func TestAccept(t *testing.T) {
 			acceptPaths:  DefaultPathAcceptRE,
 			rejectPaths:  DefaultPathRejectRE,
 			acceptHosts:  DefaultHostAcceptRE,
-			path:         "/api/v1/pods/foo/attach",
+			path:         "/api/v1/namespaces/default/pods/foo/attach",
 			host:         "127.0.0.1",
 			method:       "GET",
 			expectAccept: false,
@ -125,7 +152,7 @@ func TestAccept(t *testing.T) {
 			acceptPaths:  DefaultPathAcceptRE,
 			rejectPaths:  DefaultPathRejectRE,
 			acceptHosts:  DefaultHostAcceptRE,
-			path:         "/api/v1/pods/somepod",
+			path:         "/api/v1/namespaces/default/pods/somepod",
 			host:         "localhost",
 			method:       "PUT",
 			expectAccept: false,
@ -134,7 +161,7 @@ func TestAccept(t *testing.T) {
 			acceptPaths:  DefaultPathAcceptRE,
 			rejectPaths:  DefaultPathRejectRE,
 			acceptHosts:  DefaultHostAcceptRE,
-			path:         "/api/v1/pods/somepod",
+			path:         "/api/v1/namespaces/default/pods/somepod",
 			host:         "localhost",
 			method:       "PATCH",
 			expectAccept: false,