mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 20:53:33 +00:00
redact detailed errors from healthz and expose in default policy
This commit is contained in:
parent
7a06e41f93
commit
4cd0b7cdbe
@ -94,10 +94,10 @@ func ClusterRoles() []rbac.ClusterRole {
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
// a role which provides just enough power to discovery API versions for negotiation
|
// a role which provides just enough power to determine if the server is ready and discover API versions for negotiation
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"},
|
ObjectMeta: metav1.ObjectMeta{Name: "system:discovery"},
|
||||||
Rules: []rbac.PolicyRule{
|
Rules: []rbac.PolicyRule{
|
||||||
rbac.NewRule("get").URLs("/version", "/swaggerapi", "/swaggerapi/*", "/api", "/api/*", "/apis", "/apis/*").RuleOrDie(),
|
rbac.NewRule("get").URLs("/healthz", "/version", "/swaggerapi", "/swaggerapi/*", "/api", "/api/*", "/apis", "/apis/*").RuleOrDie(),
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -369,6 +369,7 @@ items:
|
|||||||
- /api/*
|
- /api/*
|
||||||
- /apis
|
- /apis
|
||||||
- /apis/*
|
- /apis/*
|
||||||
|
- /healthz
|
||||||
- /swaggerapi
|
- /swaggerapi
|
||||||
- /swaggerapi/*
|
- /swaggerapi/*
|
||||||
- /version
|
- /version
|
||||||
|
@ -96,9 +96,10 @@ func handleRootHealthz(checks ...HealthzChecker) http.HandlerFunc {
|
|||||||
failed := false
|
failed := false
|
||||||
var verboseOut bytes.Buffer
|
var verboseOut bytes.Buffer
|
||||||
for _, check := range checks {
|
for _, check := range checks {
|
||||||
err := check.Check(r)
|
if check.Check(r) != nil {
|
||||||
if err != nil {
|
// don't include the error since this endpoint is public. If someone wants more detail
|
||||||
fmt.Fprintf(&verboseOut, "[-]%v failed: %v\n", check.Name(), err)
|
// they should have explicit permission to the detailed checks.
|
||||||
|
fmt.Fprintf(&verboseOut, "[-]%v failed: reason withheld\n", check.Name())
|
||||||
failed = true
|
failed = true
|
||||||
} else {
|
} else {
|
||||||
fmt.Fprintf(&verboseOut, "[+]%v ok\n", check.Name())
|
fmt.Fprintf(&verboseOut, "[+]%v ok\n", check.Name())
|
||||||
|
@ -51,10 +51,10 @@ func TestMulitipleChecks(t *testing.T) {
|
|||||||
{"/healthz?verbose", "[+]ping ok\nhealthz check passed\n", http.StatusOK, false},
|
{"/healthz?verbose", "[+]ping ok\nhealthz check passed\n", http.StatusOK, false},
|
||||||
{"/healthz/ping", "ok", http.StatusOK, false},
|
{"/healthz/ping", "ok", http.StatusOK, false},
|
||||||
{"/healthz", "ok", http.StatusOK, false},
|
{"/healthz", "ok", http.StatusOK, false},
|
||||||
{"/healthz?verbose", "[+]ping ok\n[-]bad failed: this will fail\nhealthz check failed\n", http.StatusInternalServerError, true},
|
{"/healthz?verbose", "[+]ping ok\n[-]bad failed: reason withheld\nhealthz check failed\n", http.StatusInternalServerError, true},
|
||||||
{"/healthz/ping", "ok", http.StatusOK, true},
|
{"/healthz/ping", "ok", http.StatusOK, true},
|
||||||
{"/healthz/bad", "internal server error: this will fail\n", http.StatusInternalServerError, true},
|
{"/healthz/bad", "internal server error: this will fail\n", http.StatusInternalServerError, true},
|
||||||
{"/healthz", "[+]ping ok\n[-]bad failed: this will fail\nhealthz check failed\n", http.StatusInternalServerError, true},
|
{"/healthz", "[+]ping ok\n[-]bad failed: reason withheld\nhealthz check failed\n", http.StatusInternalServerError, true},
|
||||||
}
|
}
|
||||||
|
|
||||||
for i, test := range tests {
|
for i, test := range tests {
|
||||||
|
Loading…
Reference in New Issue
Block a user