github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 01:06:27 +00:00
Code Issues Projects Releases Wiki Activity

Prevent attach from being served by default via the proxy

Browse Source
This commit is contained in:
Clayton Coleman 2015-10-06 14:26:29 -04:00
parent 363b616908
commit 554ce403e4
4 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/man/man1/kubectl-proxy.1
View File

@ -67,7 +67,7 @@ The above lets you 'curl localhost:8001/custom/api/v1/pods'
Regular expression for HTTP methods that the proxy should reject. Regular expression for HTTP methods that the proxy should reject.
.PP .PP
\fB\-\-reject\-paths\fP="^/api/.\fI/exec,^/api/.\fP/run" \fB\-\-reject\-paths\fP="^/api/.\fI/exec,^/api/.\fP/run,^/api/.*/attach"
Regular expression for paths that the proxy should reject. Regular expression for paths that the proxy should reject.
.PP .PP

2
docs/user-guide/kubectl/kubectl_proxy.md
View File

@ -84,7 +84,7 @@ $ kubectl proxy --api-prefix=/k8s-api
--disable-filter[=false]: If true, disable request filtering in the proxy. This is dangerous, and can leave you vulnerable to XSRF attacks, when used with an accessible port. --disable-filter[=false]: If true, disable request filtering in the proxy. This is dangerous, and can leave you vulnerable to XSRF attacks, when used with an accessible port.
-p, --port=8001: The port on which to run the proxy. Set to 0 to pick a random port. -p, --port=8001: The port on which to run the proxy. Set to 0 to pick a random port.
--reject-methods="POST,PUT,PATCH": Regular expression for HTTP methods that the proxy should reject. --reject-methods="POST,PUT,PATCH": Regular expression for HTTP methods that the proxy should reject.
--reject-paths="^/api/.*/exec,^/api/.*/run": Regular expression for paths that the proxy should reject. --reject-paths="^/api/.*/exec,^/api/.*/run,^/api/.*/attach": Regular expression for paths that the proxy should reject.
-u, --unix-socket="": Unix socket on which to run the proxy. -u, --unix-socket="": Unix socket on which to run the proxy.
-w, --www="": Also serve static files from the given directory under the specified prefix. -w, --www="": Also serve static files from the given directory under the specified prefix.
-P, --www-prefix="/static/": Prefix to serve static files under, if static file directory is specified. -P, --www-prefix="/static/": Prefix to serve static files under, if static file directory is specified.

2
pkg/kubectl/proxy_server.go
View File

@ -35,7 +35,7 @@ import (
const ( const (
DefaultHostAcceptRE = "^localhost$,^127\\.0\\.0\\.1$,^\\[::1\\]$" DefaultHostAcceptRE = "^localhost$,^127\\.0\\.0\\.1$,^\\[::1\\]$"
DefaultPathAcceptRE = "^/.*" DefaultPathAcceptRE = "^/.*"
DefaultPathRejectRE = "^/api/.*/exec,^/api/.*/run" DefaultPathRejectRE = "^/api/.*/exec,^/api/.*/run,^/api/.*/attach"
DefaultMethodRejectRE = "POST,PUT,PATCH" DefaultMethodRejectRE = "POST,PUT,PATCH"
) )

9
pkg/kubectl/proxy_server_test.go
View File

@ -67,6 +67,15 @@ func TestAccept(t *testing.T) {
method: "GET", method: "GET",
expectAccept: false, expectAccept: false,
}, },
{
acceptPaths: DefaultPathAcceptRE,
rejectPaths: DefaultPathRejectRE,
acceptHosts: DefaultHostAcceptRE,
path: "/api/v1/pods/foo/attach",
host: "127.0.0.1",
method: "GET",
expectAccept: false,
},
{ {
acceptPaths: DefaultPathAcceptRE, acceptPaths: DefaultPathAcceptRE,
rejectPaths: DefaultPathRejectRE, rejectPaths: DefaultPathRejectRE,