/kubernetes

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding a limit on the size of request body the apiserver will decode for write operations #73805

Merged
merged 3 commits into from Feb 12, 2019
+220 −13

Conversation

Reviewers

@liggitt liggitt

@cheftako cheftako

@deads2k deads2k

Assignees

@liggitt liggitt

Labels
approved area/apiserver cncf-cla: yes kind/api-change lgtm needs-priority release-note sig/api-machinery sig/cli sig/testing size/L
Projects
None yet
Milestone
No milestone
3 participants
@caesarxuchao @liggitt @k8s-ci-robot
@caesarxuchao
Copy link
Member

caesarxuchao commented Feb 7, 2019
edited

The first two commits are #73713.

/assign
/kind bug-fix
/sig api-machinery
/release-note-none

This doesn't require a release note because request that fails the new limit has always been invalid. This patch just make it fail early in the apiserver REST handler, instead of after hitting etcd.

kube-apiserver: a request body of a CREATE/UPDATE/PATCH/DELETE resource operation larger than 100 MB will return a 413 "request entity too large" error.

Custom apiservers built with the latest apiserver library will have the 100MB limit on the body of resource requests as well. The limit can be altered via ServerRunOptions.MaxRequestBodyBytes.

The body size limit does not apply to subresources like pods/proxy that proxy request content to another server.

@k8s-ci-robot k8s-ci-robot assigned caesarxuchao Feb 7, 2019

@k8s-ci-robot k8s-ci-robot added sig/api-machinery do-not-merge/release-note-label-needed cncf-cla: yes needs-kind needs-priority area/apiserver kind/api-change sig/cli sig/testing and removed needs-kind labels Feb 7, 2019

@k8s-ci-robot k8s-ci-robot requested review from cheftako and deads2k Feb 7, 2019

@caesarxuchao caesarxuchao force-pushed the caesarxuchao:resource-size-limit branch from 80e49d2 to 262609c Feb 7, 2019

@caesarxuchao caesarxuchao changed the title Adding a limit on resource body size apiserver will decode for write operations Adding a limit on the size of request body the apiserver will decode for write operations Feb 7, 2019

@liggitt

liggitt reviewed Feb 7, 2019
View changes

Show resolved Hide resolved staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/types.go Outdated
Show resolved Hide resolved staging/src/k8s.io/apiserver/pkg/endpoints/handlers/rest.go Outdated
Show resolved Hide resolved staging/src/k8s.io/apiserver/pkg/endpoints/handlers/rest.go Outdated
Show resolved Hide resolved cmd/kube-apiserver/app/options/options_test.go Outdated
Show resolved Hide resolved staging/src/k8s.io/apimachinery/pkg/api/errors/errors.go

@caesarxuchao caesarxuchao force-pushed the caesarxuchao:resource-size-limit branch 2 times, most recently from 3eecdaf to 0a1bf00 Feb 7, 2019

@caesarxuchao caesarxuchao force-pushed the caesarxuchao:resource-size-limit branch 2 times, most recently from 67a0765 to af17697 Feb 7, 2019

@caesarxuchao

caesarxuchao reviewed Feb 8, 2019
View changes

Show resolved Hide resolved staging/src/k8s.io/apiserver/pkg/server/config.go
@caesarxuchao

caesarxuchao reviewed Feb 8, 2019
View changes

Show resolved Hide resolved staging/src/k8s.io/apiserver/pkg/server/config.go Outdated
@caesarxuchao

This comment has been minimized.

Sign in to view
Copy link
Member Author

caesarxuchao commented Feb 8, 2019

/unassign
/assign @liggitt

@k8s-ci-robot k8s-ci-robot assigned liggitt and unassigned caesarxuchao Feb 8, 2019

@liggitt

liggitt reviewed Feb 8, 2019
View changes

test/integration/apiserver/max_request_body_bytes_test.go Outdated

// Tests that the apiserver limits the resource size in write operations.
func TestMaxResourceSize(t *testing.T) {
s, clientSet, closeFn := setup(t)

This comment has been minimized.

Sign in to view
Copy link
@liggitt

liggitt Feb 8, 2019
edited

Member

suggest this instead to limit to 1MB to avoid needing 200MB in memory to run this test:

	stopCh := make(chan struct{})
	defer close(stopCh)
	clientSet, _ := framework.StartTestServer(t, stopCh, framework.TestServerSetup{
		ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
			opts.GenericServerRunOptions.MaxRequestBodyBytes = 1024*1024
		},
	})

This comment has been minimized.

Sign in to view
Copy link
@caesarxuchao

caesarxuchao Feb 8, 2019

Author Member

Good point. Done.
@liggitt

This comment has been minimized.

Sign in to view
Copy link
Member

liggitt commented Feb 8, 2019

one test comment, agree on matching json patch copy size

@caesarxuchao caesarxuchao force-pushed the caesarxuchao:resource-size-limit branch from af17697 to a7da55a Feb 8, 2019

@caesarxuchao

This comment has been minimized.

Sign in to view
Copy link
Member Author

caesarxuchao commented Feb 8, 2019

@liggitt comments addressed. PTAL. Thank you.
@liggitt

This comment has been minimized.

Sign in to view
Copy link
Member

liggitt commented Feb 8, 2019

/retest
@caesarxuchao
add integration test
Loading status checks…
e90409d

@caesarxuchao caesarxuchao force-pushed the caesarxuchao:resource-size-limit branch from a7da55a to ee787c8 Feb 9, 2019

@caesarxuchao

This comment has been minimized.

Sign in to view
Copy link
Member Author

caesarxuchao commented Feb 9, 2019

/retest
2 similar comments
@liggitt

This comment has been minimized.

Sign in to view
Copy link
Member

liggitt commented Feb 9, 2019

/retest
@caesarxuchao

This comment has been minimized.

Sign in to view
Copy link
Member Author

caesarxuchao commented Feb 9, 2019

/retest
@liggitt

This comment has been minimized.

Sign in to view
Copy link
Member

liggitt commented Feb 11, 2019

/test all
@liggitt

liggitt reviewed Feb 11, 2019
View changes

Show resolved Hide resolved staging/src/k8s.io/apiserver/pkg/server/config.go
@liggitt

This comment has been minimized.

Sign in to view
Copy link
Member

liggitt commented Feb 11, 2019

I think the new potential http status code is worth a release note
@liggitt

This comment has been minimized.

Sign in to view
Copy link
Member

liggitt commented Feb 11, 2019

once it has a release note and the 10->100 test fixup is done, lgtm
@caesarxuchao
Loosing the request body size limit to 100MB to account for the size 
ratio between json and protobuf.
Loading status checks…
27166e4

@k8s-ci-robot k8s-ci-robot added release-note and removed do-not-merge/release-note-label-needed labels Feb 11, 2019

@caesarxuchao caesarxuchao force-pushed the caesarxuchao:resource-size-limit branch from ee787c8 to 27166e4 Feb 11, 2019

@k8s-ci-robot k8s-ci-robot added the size/L label Feb 11, 2019

@caesarxuchao

This comment has been minimized.

Sign in to view
Copy link
Member Author

caesarxuchao commented Feb 11, 2019

Both done. PTAL. Thanks.
@liggitt

This comment has been minimized.

Sign in to view
Copy link
Member

liggitt commented Feb 12, 2019

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm label Feb 12, 2019

@liggitt

This comment has been minimized.

Sign in to view
Copy link
Member

liggitt commented Feb 12, 2019

updated release note to clarify the limit only applies to resource requests, not proxy subresources like pods/proxy
@k8s-ci-robot

This comment has been minimized.

Sign in to view
Copy link
Contributor

k8s-ci-robot commented Feb 12, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: caesarxuchao, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved label Feb 12, 2019

@k8s-ci-robot k8s-ci-robot merged commit 2940317 into kubernetes:master Feb 12, 2019
17 checks passed

17 checks passed

cla/linuxfoundation caesarxuchao authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-godeps Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped
pull-kubernetes-local-e2e-containerized Skipped
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped
tide In merge pool.
Details

This was referenced Feb 15, 2019

Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment