PodSecurity: limit webhook admission input

This commit is contained in:
Jordan Liggitt 2021-10-05 10:31:32 -04:00
parent 04f747d09f
commit f46642a4f1

View File

@ -22,6 +22,7 @@ import (
"encoding/json"
"errors"
"fmt"
"io"
"io/ioutil"
"net/http"
"time"
@ -45,6 +46,8 @@ import (
"k8s.io/pod-security-admission/policy"
)
const maxRequestSize = int64(3 * 1024 * 1024)
// NewSchedulerCommand creates a *cobra.Command object with default parameters and registryOptions
func NewServerCommand() *cobra.Command {
opts := options.NewOptions()
@ -153,11 +156,17 @@ func (s *Server) HandleValidate(w http.ResponseWriter, r *http.Request) {
}
defer r.Body.Close()
if body, err = ioutil.ReadAll(r.Body); err != nil {
limitedReader := &io.LimitedReader{R: r.Body, N: maxRequestSize}
if body, err = ioutil.ReadAll(limitedReader); err != nil {
klog.ErrorS(err, "unable to read the body from the incoming request")
http.Error(w, "unable to read the body from the incoming request", http.StatusBadRequest)
return
}
if limitedReader.N <= 0 {
klog.ErrorS(err, "unable to read the body from the incoming request; limit reached")
http.Error(w, fmt.Sprintf("request entity is too large; limit is %d bytes", maxRequestSize), http.StatusRequestEntityTooLarge)
return
}
// verify the content type is accurate
if contentType := r.Header.Get("Content-Type"); contentType != "application/json" {