Merge pull request #28765 from nhlfr/api-proxy-regex

Automatic merge from submit-queue Make "attach" and "exec" rejection in proxy more explicit ```release-note kubectl proxy changed to now allow urls to pods with "attach" or "exec" in the pod name ``` The more explicit regular expression for rejection makes a possibility of accessing pods (or any other resources) which contain "attach" or "exec" in their names via proxy API. It was not possible before. Also, the reference for "run" resource was removed, because it doesn't exist in any of k8s APIs currently. Fixes: #21464
2025-07-26 21:17:23 +00:00 · 2016-07-19 23:06:58 -07:00 · 2016-07-19 23:06:58 -07:00 · ad7ececcd0
commit ad7ececcd0
parent 0bd6e2d810 3ed9768a51
2 changed files with 32 additions and 5 deletions
--- a/pkg/kubectl/proxy_server.go
+++ b/pkg/kubectl/proxy_server.go
@ -35,7 +35,7 @@ import (
 const (
 	DefaultHostAcceptRE   = "^localhost$,^127\\.0\\.0\\.1$,^\\[::1\\]$"
 	DefaultPathAcceptRE   = "^/.*"
-	DefaultPathRejectRE   = "^/api/.*/exec,^/api/.*/run,^/api/.*/attach"
+	DefaultPathRejectRE   = "^/api/.*/pods/.*/exec,^/api/.*/pods/.*/attach"
 	DefaultMethodRejectRE = "POST,PUT,PATCH"
 )

--- a/pkg/kubectl/proxy_server_test.go
+++ b/pkg/kubectl/proxy_server_test.go
@ -62,7 +62,34 @@ func TestAccept(t *testing.T) {
 			acceptPaths:  DefaultPathAcceptRE,
 			rejectPaths:  DefaultPathRejectRE,
 			acceptHosts:  DefaultHostAcceptRE,
-			path:         "/api/v1/pods/foo/exec",
+			path:         "/api/v1/namespaces/default/pods/foo",
+			host:         "localhost",
+			method:       "GET",
+			expectAccept: true,
+		},
+		{
+			acceptPaths:  DefaultPathAcceptRE,
+			rejectPaths:  DefaultPathRejectRE,
+			acceptHosts:  DefaultHostAcceptRE,
+			path:         "/api/v1/namespaces/default/pods/attachfoo",
+			host:         "localhost",
+			method:       "GET",
+			expectAccept: true,
+		},
+		{
+			acceptPaths:  DefaultPathAcceptRE,
+			rejectPaths:  DefaultPathRejectRE,
+			acceptHosts:  DefaultHostAcceptRE,
+			path:         "/api/v1/namespaces/default/pods/execfoo",
+			host:         "localhost",
+			method:       "GET",
+			expectAccept: true,
+		},
+		{
+			acceptPaths:  DefaultPathAcceptRE,
+			rejectPaths:  DefaultPathRejectRE,
+			acceptHosts:  DefaultHostAcceptRE,
+			path:         "/api/v1/namespaces/default/pods/foo/exec",
 			host:         "127.0.0.1",
 			method:       "GET",
 			expectAccept: false,
@ -71,7 +98,7 @@ func TestAccept(t *testing.T) {
 			acceptPaths:  DefaultPathAcceptRE,
 			rejectPaths:  DefaultPathRejectRE,
 			acceptHosts:  DefaultHostAcceptRE,
-			path:         "/api/v1/pods/foo/attach",
+			path:         "/api/v1/namespaces/default/pods/foo/attach",
 			host:         "127.0.0.1",
 			method:       "GET",
 			expectAccept: false,
@ -125,7 +152,7 @@ func TestAccept(t *testing.T) {
 			acceptPaths:  DefaultPathAcceptRE,
 			rejectPaths:  DefaultPathRejectRE,
 			acceptHosts:  DefaultHostAcceptRE,
-			path:         "/api/v1/pods/somepod",
+			path:         "/api/v1/namespaces/default/pods/somepod",
 			host:         "localhost",
 			method:       "PUT",
 			expectAccept: false,
@ -134,7 +161,7 @@ func TestAccept(t *testing.T) {
 			acceptPaths:  DefaultPathAcceptRE,
 			rejectPaths:  DefaultPathRejectRE,
 			acceptHosts:  DefaultHostAcceptRE,
-			path:         "/api/v1/pods/somepod",
+			path:         "/api/v1/namespaces/default/pods/somepod",
 			host:         "localhost",
 			method:       "PATCH",
 			expectAccept: false,