From a4a6076924faa841341a4689123ac47853f8e244 Mon Sep 17 00:00:00 2001
From: Chen Li <shchenli@cn.ibm.com>
Date: Thu, 28 Sep 2017 03:37:49 -0500
Subject: [PATCH] Improve kubectl error messages

Fixes https://github.com/kubernetes/kubernetes/issues/34457
Part of work on https://github.com/kubernetes/kubernetes/issues/31267
---
 pkg/kubelet/server/server.go      | 16 ++++++++
 pkg/kubelet/server/server_test.go | 62 ++++++++++++++++++++++++++++++-
 2 files changed, 77 insertions(+), 1 deletion(-)

diff --git a/pkg/kubelet/server/server.go b/pkg/kubelet/server/server.go
index 14177be20ac..72049afd17c 100644
--- a/pkg/kubelet/server/server.go
+++ b/pkg/kubelet/server/server.go
@@ -211,6 +211,8 @@ func NewServer(
 		if enableContentionProfiling {
 			goruntime.SetBlockProfileRate(1)
 		}
+	} else {
+		server.InstallDebuggingDisabledHandlers()
 	}
 	return server
 }
@@ -418,6 +420,20 @@ func (s *Server) InstallDebuggingHandlers(criHandler http.Handler) {
 	}
 }
 
+// InstallDebuggingDisabledHandlers registers the HTTP request patterns that provide better error message
+func (s *Server) InstallDebuggingDisabledHandlers() {
+	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Error(w, "Debug endpoints are disabled.", http.StatusMethodNotAllowed)
+	})
+
+	paths := []string{
+		"/run/", "/exec/", "/attach/", "/portForward/", "/containerLogs/",
+		"/runningpods/", pprofBasePath, logsPath}
+	for _, p := range paths {
+		s.restfulCont.Handle(p, h)
+	}
+}
+
 // Checks if kubelet's sync loop  that updates containers is working.
 func (s *Server) syncLoopHealthCheck(req *http.Request) error {
 	duration := s.host.ResyncInterval() * 2
diff --git a/pkg/kubelet/server/server_test.go b/pkg/kubelet/server/server_test.go
index 85e62b2aae1..7fa1753db2e 100644
--- a/pkg/kubelet/server/server_test.go
+++ b/pkg/kubelet/server/server_test.go
@@ -205,6 +205,10 @@ type serverTestFramework struct {
 }
 
 func newServerTest() *serverTestFramework {
+	return newServerTestWithDebug(true)
+}
+
+func newServerTestWithDebug(enableDebugging bool) *serverTestFramework {
 	fw := &serverTestFramework{}
 	fw.fakeKubelet = &fakeKubelet{
 		hostnameFunc: func() string {
@@ -239,7 +243,7 @@ func newServerTest() *serverTestFramework {
 		fw.fakeKubelet,
 		stats.NewResourceAnalyzer(fw.fakeKubelet, time.Minute),
 		fw.fakeAuth,
-		true,
+		enableDebugging,
 		false,
 		&kubecontainertesting.Mock{},
 		fw.criHandler)
@@ -1635,3 +1639,59 @@ func TestCRIHandler(t *testing.T) {
 	assert.Equal(t, path, fw.criHandler.RequestReceived.URL.Path)
 	assert.Equal(t, query, fw.criHandler.RequestReceived.URL.RawQuery)
 }
+
+func TestDebuggingDisabledHandlers(t *testing.T) {
+	fw := newServerTestWithDebug(false)
+	defer fw.testHTTPServer.Close()
+
+	paths := []string{
+		"/run", "/exec", "/attach", "/portForward", "/containerLogs", "/runningpods",
+		"/run/", "/exec/", "/attach/", "/portForward/", "/containerLogs/", "/runningpods/",
+		"/run/xxx", "/exec/xxx", "/attach/xxx", "/debug/pprof/profile", "/logs/kubelet.log",
+	}
+
+	for _, p := range paths {
+		resp, err := http.Get(fw.testHTTPServer.URL + p)
+		require.NoError(t, err)
+		assert.Equal(t, http.StatusMethodNotAllowed, resp.StatusCode)
+		body, err := ioutil.ReadAll(resp.Body)
+		require.NoError(t, err)
+		assert.Equal(t, "Debug endpoints are disabled.\n", string(body))
+
+		resp, err = http.Post(fw.testHTTPServer.URL+p, "", nil)
+		require.NoError(t, err)
+		assert.Equal(t, http.StatusMethodNotAllowed, resp.StatusCode)
+		body, err = ioutil.ReadAll(resp.Body)
+		require.NoError(t, err)
+		assert.Equal(t, "Debug endpoints are disabled.\n", string(body))
+	}
+
+	// test some other paths, make sure they're working
+	containerInfo := &cadvisorapi.ContainerInfo{
+		ContainerReference: cadvisorapi.ContainerReference{
+			Name: "/",
+		},
+	}
+	fw.fakeKubelet.rawInfoFunc = func(req *cadvisorapi.ContainerInfoRequest) (map[string]*cadvisorapi.ContainerInfo, error) {
+		return map[string]*cadvisorapi.ContainerInfo{
+			containerInfo.Name: containerInfo,
+		}, nil
+	}
+
+	resp, err := http.Get(fw.testHTTPServer.URL + "/stats")
+	require.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+	machineInfo := &cadvisorapi.MachineInfo{
+		NumCores:       4,
+		MemoryCapacity: 1024,
+	}
+	fw.fakeKubelet.machineInfoFunc = func() (*cadvisorapi.MachineInfo, error) {
+		return machineInfo, nil
+	}
+
+	resp, err = http.Get(fw.testHTTPServer.URL + "/spec")
+	require.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+}