security: disable pprof by default (#1672)

(cherry picked from commit 24786f4)
kubeovn · Jul 8, 2022 · 8190df3 · 8190df3
1 parent 761ddcb
commit 8190df3
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 6 deletions.
diff --git a/cmd/controller/controller.go b/cmd/controller/controller.go
@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"github.com/kubeovn/kube-ovn/pkg/util"
 	"net/http"
-	_ "net/http/pprof" // #nosec
+	"net/http/pprof"
 	"os"
 	"time"
 
@@ -40,8 +40,16 @@ func CmdMain() {
 
 	go loopOvnNbctlDaemon(config)
 	go func() {
-		http.Handle("/metrics", promhttp.Handler())
-		klog.Fatal(http.ListenAndServe(fmt.Sprintf("0.0.0.0:%d", config.PprofPort), nil))
+		mux := http.NewServeMux()
+		mux.Handle("/metrics", promhttp.Handler())
+		if config.EnablePprof {
+			mux.HandleFunc("/debug/pprof/", pprof.Index)
+			mux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
+			mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
+			mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
+			mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
+		}
+		klog.Fatal(http.ListenAndServe(fmt.Sprintf("0.0.0.0:%d", config.PprofPort), mux))
 	}()
 
 	ctl := controller.NewController(config)

diff --git a/cmd/daemon/cniserver.go b/cmd/daemon/cniserver.go
@@ -5,7 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	_ "net/http/pprof" // #nosec
+	"net/http/pprof"
 	"os"
 	"path/filepath"
 	"strings"
@@ -84,8 +84,17 @@ func CmdMain() {
 	if err := mvCNIConf(config.CniConfDir, config.CniConfFile, config.CniConfName); err != nil {
 		klog.Fatalf("failed to mv cni conf, %v", err)
 	}
-	http.Handle("/metrics", promhttp.Handler())
-	klog.Fatal(http.ListenAndServe(fmt.Sprintf("0.0.0.0:%d", config.PprofPort), nil))
+
+	mux := http.NewServeMux()
+	mux.Handle("/metrics", promhttp.Handler())
+	if config.EnablePprof {
+		mux.HandleFunc("/debug/pprof/", pprof.Index)
+		mux.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
+		mux.HandleFunc("/debug/pprof/profile", pprof.Profile)
+		mux.HandleFunc("/debug/pprof/symbol", pprof.Symbol)
+		mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
+	}
+	klog.Fatal(http.ListenAndServe(fmt.Sprintf("0.0.0.0:%d", config.PprofPort), mux))
 }
 
 func mvCNIConf(configDir, configFile, confName string) error {

diff --git a/pkg/controller/config.go b/pkg/controller/config.go
@@ -62,6 +62,7 @@ type Configuration struct {
 
 	WorkerNum       int
 	PprofPort       int
+	EnablePprof     bool
 	NodePgProbeTime int
 
 	NetworkType          string
@@ -113,6 +114,7 @@ func ParseFlags() (*Configuration, error) {
 		argClusterUdpSessionLoadBalancer = pflag.String("cluster-udp-session-loadbalancer", "cluster-udp-session-loadbalancer", "The name for cluster udp session loadbalancer")
 
 		argWorkerNum       = pflag.Int("worker-num", 3, "The parallelism of each worker")
+		argEnablePprof     = pflag.Bool("enable-pprof", false, "Enable pprof")
 		argPprofPort       = pflag.Int("pprof-port", 10660, "The port to get profiling data")
 		argNodePgProbeTime = pflag.Int("nodepg-probe-time", 1, "The probe interval for node port-group, the unit is minute")
 
@@ -175,6 +177,7 @@ func ParseFlags() (*Configuration, error) {
 		ClusterTcpSessionLoadBalancer: *argClusterTcpSessionLoadBalancer,
 		ClusterUdpSessionLoadBalancer: *argClusterUdpSessionLoadBalancer,
 		WorkerNum:                     *argWorkerNum,
+		EnablePprof:                   *argEnablePprof,
 		PprofPort:                     *argPprofPort,
 		NetworkType:                   *argNetworkType,
 		DefaultVlanID:                 *argDefaultVlanID,

diff --git a/pkg/daemon/config.go b/pkg/daemon/config.go
@@ -43,6 +43,7 @@ type Configuration struct {
 	ServiceClusterIPRange   string
 	NodeLocalDnsIP          string
 	EncapChecksum           bool
+	EnablePprof             bool
 	PprofPort               int
 	NetworkType             string
 	CniConfDir              string
@@ -69,6 +70,7 @@ func ParseFlags() *Configuration {
 		argServiceClusterIPRange = pflag.String("service-cluster-ip-range", "10.96.0.0/12", "The kubernetes service cluster ip range")
 		argNodeLocalDnsIP        = pflag.String("node-local-dns-ip", "", "If use nodelocaldns the local dns server ip should be set here.")
 		argEncapChecksum         = pflag.Bool("encap-checksum", true, "Enable checksum")
+		argEnablePprof           = pflag.Bool("enable-pprof", false, "Enable pprof")
 		argPprofPort             = pflag.Int("pprof-port", 10665, "The port to get profiling data")
 
 		argsNetworkType            = pflag.String("network-type", "geneve", "The ovn network type")
@@ -110,6 +112,7 @@ func ParseFlags() *Configuration {
 		BindSocket:              *argBindSocket,
 		OvsSocket:               *argOvsSocket,
 		KubeConfigFile:          *argKubeConfigFile,
+		EnablePprof:             *argEnablePprof,
 		PprofPort:               *argPprofPort,
 		NodeName:                strings.ToLower(*argNodeName),
 		ServiceClusterIPRange:   *argServiceClusterIPRange,