New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aggregator: serve downstream apiserver discovery documents from cache rather than proxying #71754

Open
lavalamp opened this Issue Dec 5, 2018 · 2 comments

Comments

Projects
None yet
3 participants
@lavalamp
Member

lavalamp commented Dec 5, 2018

The aggregator proxies users to downstream apiservers when discovery documents are requested for a particular API group & version. The proxy code has historically been, to use a technical term, super buggy. In particular, this made CVE-2018-1002105 much, much worse than it needed to be.

The aggregator already scrapes discovery from downstream apiservers. The request here is for it to scrape and cache all the discovery documents, and reserve them from cache rather than proxy anonymous requests directly to the backend apiserver.

/kind feature

@lavalamp

This comment has been minimized.

Member

lavalamp commented Dec 5, 2018

@liggitt

This comment has been minimized.

Member

liggitt commented Dec 5, 2018

this could also make discovery more reliable, and ease the impact of downtime for aggregated servers whose resources are not persisted (like the metrics server), but whose unavailability currently pauses components like the namespace cleanup controller and garbage collector controller for safety

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment