github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-04 01:40:07 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #105485 from liggitt/podsecurity-limit

Browse Source 
PodSecurity: limit webhook admission input
This commit is contained in:
Kubernetes Prow Robot 2021-10-14 10:49:36 -07:00 committed by GitHub
commit 7c80381d98
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
staging/src/k8s.io/pod-security-admission/cmd/webhook/server/server.go
View File

@ -22,6 +22,7 @@ import (
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
"io"
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"time" "time"
@ -45,6 +46,8 @@ import (
"k8s.io/pod-security-admission/policy" "k8s.io/pod-security-admission/policy"
) )
const maxRequestSize = int64(3 * 1024 * 1024)
// NewSchedulerCommand creates a *cobra.Command object with default parameters and registryOptions // NewSchedulerCommand creates a *cobra.Command object with default parameters and registryOptions
func NewServerCommand() *cobra.Command { func NewServerCommand() *cobra.Command {
opts := options.NewOptions() opts := options.NewOptions()
@ -153,11 +156,17 @@ func (s *Server) HandleValidate(w http.ResponseWriter, r *http.Request) {
} }
defer r.Body.Close() defer r.Body.Close()
if body, err = ioutil.ReadAll(r.Body); err != nil { limitedReader := &io.LimitedReader{R: r.Body, N: maxRequestSize}
if body, err = ioutil.ReadAll(limitedReader); err != nil {
klog.ErrorS(err, "unable to read the body from the incoming request") klog.ErrorS(err, "unable to read the body from the incoming request")
http.Error(w, "unable to read the body from the incoming request", http.StatusBadRequest) http.Error(w, "unable to read the body from the incoming request", http.StatusBadRequest)
return return
} }
if limitedReader.N <= 0 {
klog.ErrorS(err, "unable to read the body from the incoming request; limit reached")
http.Error(w, fmt.Sprintf("request entity is too large; limit is %d bytes", maxRequestSize), http.StatusRequestEntityTooLarge)
return
}
// verify the content type is accurate // verify the content type is accurate
if contentType := r.Header.Get("Content-Type"); contentType != "application/json" { if contentType := r.Header.Get("Content-Type"); contentType != "application/json" {