Prevent attach from being served by default via the proxy

2025-07-29 14:37:00 +00:00 · 2015-10-06 14:26:29 -04:00 · 2015-10-06 14:26:29 -04:00 · 554ce403e4
commit 554ce403e4
parent 363b616908
4 changed files with 12 additions and 3 deletions
--- a/docs/man/man1/kubectl-proxy.1
+++ b/docs/man/man1/kubectl-proxy.1
@ -67,7 +67,7 @@ The above lets you 'curl localhost:8001/custom/api/v1/pods'
    Regular expression for HTTP methods that the proxy should reject.

 .PP
-\fB\-\-reject\-paths\fP="^/api/.\fI/exec,^/api/.\fP/run"
+\fB\-\-reject\-paths\fP="^/api/.\fI/exec,^/api/.\fP/run,^/api/.*/attach"
    Regular expression for paths that the proxy should reject.

 .PP
--- a/docs/user-guide/kubectl/kubectl_proxy.md
+++ b/docs/user-guide/kubectl/kubectl_proxy.md
@ -84,7 +84,7 @@ $ kubectl proxy --api-prefix=/k8s-api
      --disable-filter[=false]: If true, disable request filtering in the proxy. This is dangerous, and can leave you vulnerable to XSRF attacks, when used with an accessible port.
  -p, --port=8001: The port on which to run the proxy. Set to 0 to pick a random port.
      --reject-methods="POST,PUT,PATCH": Regular expression for HTTP methods that the proxy should reject.
-      --reject-paths="^/api/.*/exec,^/api/.*/run": Regular expression for paths that the proxy should reject.
+      --reject-paths="^/api/.*/exec,^/api/.*/run,^/api/.*/attach": Regular expression for paths that the proxy should reject.
  -u, --unix-socket="": Unix socket on which to run the proxy.
  -w, --www="": Also serve static files from the given directory under the specified prefix.
  -P, --www-prefix="/static/": Prefix to serve static files under, if static file directory is specified.
--- a/pkg/kubectl/proxy_server.go
+++ b/pkg/kubectl/proxy_server.go
@ -35,7 +35,7 @@ import (
 const (
 	DefaultHostAcceptRE   = "^localhost$,^127\\.0\\.0\\.1$,^\\[::1\\]$"
 	DefaultPathAcceptRE   = "^/.*"
-	DefaultPathRejectRE   = "^/api/.*/exec,^/api/.*/run"
+	DefaultPathRejectRE   = "^/api/.*/exec,^/api/.*/run,^/api/.*/attach"
 	DefaultMethodRejectRE = "POST,PUT,PATCH"
 )

--- a/pkg/kubectl/proxy_server_test.go
+++ b/pkg/kubectl/proxy_server_test.go
@ -67,6 +67,15 @@ func TestAccept(t *testing.T) {
 			method:       "GET",
 			expectAccept: false,
 		},
+		{
+			acceptPaths:  DefaultPathAcceptRE,
+			rejectPaths:  DefaultPathRejectRE,
+			acceptHosts:  DefaultHostAcceptRE,
+			path:         "/api/v1/pods/foo/attach",
+			host:         "127.0.0.1",
+			method:       "GET",
+			expectAccept: false,
+		},
 		{
 			acceptPaths:  DefaultPathAcceptRE,
 			rejectPaths:  DefaultPathRejectRE,