mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-30 23:15:14 +00:00
PodSecurity: limit webhook admission input
This commit is contained in:
parent
04f747d09f
commit
f46642a4f1
@ -22,6 +22,7 @@ import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"time"
|
||||
@ -45,6 +46,8 @@ import (
|
||||
"k8s.io/pod-security-admission/policy"
|
||||
)
|
||||
|
||||
const maxRequestSize = int64(3 * 1024 * 1024)
|
||||
|
||||
// NewSchedulerCommand creates a *cobra.Command object with default parameters and registryOptions
|
||||
func NewServerCommand() *cobra.Command {
|
||||
opts := options.NewOptions()
|
||||
@ -153,11 +156,17 @@ func (s *Server) HandleValidate(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
defer r.Body.Close()
|
||||
if body, err = ioutil.ReadAll(r.Body); err != nil {
|
||||
limitedReader := &io.LimitedReader{R: r.Body, N: maxRequestSize}
|
||||
if body, err = ioutil.ReadAll(limitedReader); err != nil {
|
||||
klog.ErrorS(err, "unable to read the body from the incoming request")
|
||||
http.Error(w, "unable to read the body from the incoming request", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
if limitedReader.N <= 0 {
|
||||
klog.ErrorS(err, "unable to read the body from the incoming request; limit reached")
|
||||
http.Error(w, fmt.Sprintf("request entity is too large; limit is %d bytes", maxRequestSize), http.StatusRequestEntityTooLarge)
|
||||
return
|
||||
}
|
||||
|
||||
// verify the content type is accurate
|
||||
if contentType := r.Header.Get("Content-Type"); contentType != "application/json" {
|
||||
|
Loading…
Reference in New Issue
Block a user