From e23c15a0f348c87ee43e6e157731a69451f3db34 Mon Sep 17 00:00:00 2001
From: Tim Allclair <tallclair@google.com>
Date: Thu, 3 Jan 2019 13:33:59 -0800
Subject: [PATCH] Only check caller-controlled attribute size for max cache key

---
 .../plugin/pkg/authorizer/webhook/webhook.go        | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
index b9cc4c65d98..299f30b948a 100644
--- a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
+++ b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
@@ -200,7 +200,7 @@ func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (decision auth
 		if r.Status.Allowed {
 			w.responseCache.Add(string(key), r.Status, w.authorizedTTL)
 		} else {
-			if len(key) <= maxUnauthorizedCachedKeySize {
+			if callerControlledAttributeSize(attr) < maxUnauthorizedCachedKeySize {
 				w.responseCache.Add(string(key), r.Status, w.unauthorizedTTL)
 			}
 		}
@@ -268,3 +268,14 @@ func (t *subjectAccessReviewClient) Create(subjectAccessReview *authorization.Su
 	err := t.w.RestClient.Post().Body(subjectAccessReview).Do().Into(result)
 	return result, err
 }
+
+func callerControlledAttributeSize(attr authorizer.Attributes) int64 {
+	return int64(len(attr.GetNamespace())) +
+		int64(len(attr.GetVerb())) +
+		int64(len(attr.GetAPIGroup())) +
+		int64(len(attr.GetAPIVersion())) +
+		int64(len(attr.GetResource())) +
+		int64(len(attr.GetSubresource())) +
+		int64(len(attr.GetName())) +
+		int64(len(attr.GetPath()))
+}