New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding a limit on the size of request body the apiserver will decode for write operations #73805

Merged
merged 3 commits into from Feb 12, 2019

Conversation

@caesarxuchao
Copy link
Member

caesarxuchao commented Feb 7, 2019

The first two commits are #73713.

/assign
/kind bug-fix
/sig api-machinery
/release-note-none

This doesn't require a release note because request that fails the new limit has always been invalid. This patch just make it fail early in the apiserver REST handler, instead of after hitting etcd.

kube-apiserver: a request body of a CREATE/UPDATE/PATCH/DELETE resource operation larger than 100 MB will return a 413 "request entity too large" error.

Custom apiservers built with the latest apiserver library will have the 100MB limit on the body of resource requests as well. The limit can be altered via ServerRunOptions.MaxRequestBodyBytes.

The body size limit does not apply to subresources like pods/proxy that proxy request content to another server.

@k8s-ci-robot k8s-ci-robot requested review from cheftako and deads2k Feb 7, 2019

@caesarxuchao caesarxuchao force-pushed the caesarxuchao:resource-size-limit branch from 80e49d2 to 262609c Feb 7, 2019

@caesarxuchao caesarxuchao changed the title Adding a limit on resource body size apiserver will decode for write operations Adding a limit on the size of request body the apiserver will decode for write operations Feb 7, 2019

@caesarxuchao caesarxuchao force-pushed the caesarxuchao:resource-size-limit branch 2 times, most recently from 3eecdaf to 0a1bf00 Feb 7, 2019

@caesarxuchao caesarxuchao force-pushed the caesarxuchao:resource-size-limit branch 2 times, most recently from 67a0765 to af17697 Feb 7, 2019

@caesarxuchao

This comment has been minimized.

Copy link
Member Author

caesarxuchao commented Feb 8, 2019

/unassign
/assign @liggitt

@k8s-ci-robot k8s-ci-robot assigned liggitt and unassigned caesarxuchao Feb 8, 2019


// Tests that the apiserver limits the resource size in write operations.
func TestMaxResourceSize(t *testing.T) {
s, clientSet, closeFn := setup(t)

This comment has been minimized.

@liggitt

liggitt Feb 8, 2019

Member

suggest this instead to limit to 1MB to avoid needing 200MB in memory to run this test:

	stopCh := make(chan struct{})
	defer close(stopCh)
	clientSet, _ := framework.StartTestServer(t, stopCh, framework.TestServerSetup{
		ModifyServerRunOptions: func(opts *options.ServerRunOptions) {
			opts.GenericServerRunOptions.MaxRequestBodyBytes = 1024*1024
		},
	})

This comment has been minimized.

@caesarxuchao

caesarxuchao Feb 8, 2019

Author Member

Good point. Done.

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 8, 2019

one test comment, agree on matching json patch copy size

@caesarxuchao caesarxuchao force-pushed the caesarxuchao:resource-size-limit branch from af17697 to a7da55a Feb 8, 2019

@caesarxuchao

This comment has been minimized.

Copy link
Member Author

caesarxuchao commented Feb 8, 2019

@liggitt comments addressed. PTAL. Thank you.

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 8, 2019

/retest

@caesarxuchao caesarxuchao force-pushed the caesarxuchao:resource-size-limit branch from a7da55a to ee787c8 Feb 9, 2019

@caesarxuchao

This comment has been minimized.

Copy link
Member Author

caesarxuchao commented Feb 9, 2019

/retest

2 similar comments
@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 9, 2019

/retest

@caesarxuchao

This comment has been minimized.

Copy link
Member Author

caesarxuchao commented Feb 9, 2019

/retest

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 11, 2019

/test all

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 11, 2019

I think the new potential http status code is worth a release note

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 11, 2019

once it has a release note and the 10->100 test fixup is done, lgtm

@caesarxuchao caesarxuchao force-pushed the caesarxuchao:resource-size-limit branch from ee787c8 to 27166e4 Feb 11, 2019

@k8s-ci-robot k8s-ci-robot added the size/L label Feb 11, 2019

@caesarxuchao

This comment has been minimized.

Copy link
Member Author

caesarxuchao commented Feb 11, 2019

Both done. PTAL. Thanks.

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 12, 2019

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm label Feb 12, 2019

@liggitt

This comment has been minimized.

Copy link
Member

liggitt commented Feb 12, 2019

updated release note to clarify the limit only applies to resource requests, not proxy subresources like pods/proxy

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Feb 12, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: caesarxuchao, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 2940317 into kubernetes:master Feb 12, 2019

17 checks passed

cla/linuxfoundation caesarxuchao authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-godeps Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped
pull-kubernetes-local-e2e-containerized Skipped
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped
tide In merge pool.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment