-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reject proxy requests to 0.0.0.0 as well #107402
Conversation
@anguslees: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I don't know if it is possible for a service, node, ... to return those addresses, but tightening the validation here sgtm |
To be clear: I don't know of a case where this can happen either, except through 'legitimate' RBAC write access to Service/Pod/Node, which is why I'm not tagging this as a 'security' issue at this time. This is just a defence-in-depth improvement from my pov. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: anguslees, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
…07402-upstream-release-1.22 Automated cherry pick of #107402: Reject proxy requests to 0.0.0.0 as well
…07402-upstream-release-1.23 Automated cherry pick of #107402: Reject proxy requests to 0.0.0.0 as well
…07402-upstream-release-1.21 Automated cherry pick of #107402: Reject proxy requests to 0.0.0.0 as well
What type of PR is this?
/kind bug
What this PR does / why we need it:
Various IP addresses are known to be invalid/unsafe as destination addresses for apiserver proxy queries. The apiserver will reject attempts to proxy to these destination addresses, if a pod/service/node somehow reports as having one of these addresses.
Previously this check included loopback, link-local, and multicast CIDRs. This PR extends the checks to also reject all-zero. (All checks include both IPv4 and IPv6 equivalents.)
As an implementation detail, the change is implemented by switching to golang's
net.IP.IsGlobalUnicast
. I invite the reader to review the source of that function and satisfy themselves that the resulting checks are equivalent.Does this PR introduce a user-facing change?