security: restrict anonymous access to the /kapis/version endpoint (#2107)
Signed-off-by: hongming <coder.scala@gmail.com>
This commit is contained in:
hongming
@@ -85,7 +85,7 @@ spec:
|
||||
livenessProbe:
|
||||
failureThreshold: 8
|
||||
httpGet:
|
||||
path: /version
|
||||
path: /livez
|
||||
port: 9090
|
||||
{{- if .Values.internalTLS }}
|
||||
scheme: HTTPS
|
||||
|
||||
@@ -120,6 +120,7 @@ func (s *APIServer) PrepareRun(stopCh <-chan struct{}) error {
|
||||
s.installKubeSphereAPIs()
|
||||
s.installMetricsAPI()
|
||||
s.installHealthz()
|
||||
s.installLivez()
|
||||
if err := s.installOpenAPI(); err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -198,7 +199,12 @@ func (s *APIServer) installKubeSphereAPIs() {
|
||||
|
||||
// installHealthz creates the healthz endpoint for this server
|
||||
func (s *APIServer) installHealthz() {
|
||||
urlruntime.Must(healthz.InstallHandler(s.container, []healthz.HealthChecker{}...))
|
||||
urlruntime.Must(healthz.InstallHandler(s.container))
|
||||
}
|
||||
|
||||
// installLivez creates the livez endpoint for this server
|
||||
func (s *APIServer) installLivez() {
|
||||
urlruntime.Must(healthz.InstallLivezHandler(s.container))
|
||||
}
|
||||
|
||||
func (s *APIServer) Run(ctx context.Context) (err error) {
|
||||
@@ -262,7 +268,7 @@ func (s *APIServer) buildHandlerChain(handler http.Handler, stopCh <-chan struct
|
||||
default:
|
||||
fallthrough
|
||||
case authorization.RBAC:
|
||||
excludedPaths := []string{"/oauth/*", "/dist/*", "/.well-known/openid-configuration", "/kapis/version", "/version", "/metrics", "/healthz", "/openapi/v2", "/openapi/v3"}
|
||||
excludedPaths := []string{"/oauth/*", "/dist/*", "/.well-known/openid-configuration", "/version", "/metrics", "/livez", "/healthz", "/openapi/v2", "/openapi/v3"}
|
||||
pathAuthorizer, _ := path.NewAuthorizer(excludedPaths)
|
||||
amOperator := am.NewReadOnlyOperator(s.ResourceManager)
|
||||
authorizers = unionauthorizer.New(pathAuthorizer, rbac.NewRBACAuthorizer(amOperator))
|
||||
|
||||
@@ -22,7 +22,6 @@ import (
|
||||
"kubesphere.io/kubesphere/pkg/controller/options"
|
||||
"kubesphere.io/kubesphere/pkg/models/composedapp"
|
||||
"kubesphere.io/kubesphere/pkg/models/kubeconfig"
|
||||
"kubesphere.io/kubesphere/pkg/models/ratelimiter"
|
||||
"kubesphere.io/kubesphere/pkg/models/terminal"
|
||||
"kubesphere.io/kubesphere/pkg/multicluster"
|
||||
"kubesphere.io/kubesphere/pkg/simple/client/cache"
|
||||
|
||||
@@ -459,7 +459,7 @@ func (r *Reconciler) tryFetchKubeSphereVersion(ctx context.Context, cluster *clu
|
||||
port = "443"
|
||||
}
|
||||
response, err := clusterClient.KubernetesClient.CoreV1().Services(constants.KubeSphereNamespace).
|
||||
ProxyGet(scheme, constants.KubeSphereAPIServerName, port, "/kapis/version", nil).
|
||||
ProxyGet(scheme, constants.KubeSphereAPIServerName, port, "/version", nil).
|
||||
DoRaw(ctx)
|
||||
if err != nil {
|
||||
return "", err
|
||||
|
||||
@@ -38,7 +38,7 @@ func (h *handler) AddToContainer(container *restful.Container) error {
|
||||
versionFunc := func(request *restful.Request, response *restful.Response) {
|
||||
ksVersion := version.Get()
|
||||
ksVersion.Kubernetes = h.k8sVersionInfo
|
||||
response.WriteAsJson(ksVersion)
|
||||
_ = response.WriteAsJson(ksVersion)
|
||||
}
|
||||
legacy.Route(legacy.GET("/version").
|
||||
To(versionFunc).
|
||||
|
||||
@@ -21,29 +21,24 @@ import (
|
||||
)
|
||||
|
||||
func AddToContainer(container *restful.Container, path string, checks ...HealthChecker) error {
|
||||
if len(checks) == 0 {
|
||||
klog.V(4).Info("No default health checks specified. Installing the ping handler.")
|
||||
checks = []HealthChecker{PingHealthz}
|
||||
}
|
||||
name := strings.Split(strings.TrimPrefix(path, "/"), "/")[0]
|
||||
container.Handle(path, handleRootHealth(name, nil, checks...))
|
||||
|
||||
for _, check := range checks {
|
||||
container.Handle(fmt.Sprintf("%s/%v", path, check.Name()), adaptCheckToHandler(check))
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func InstallHandler(container *restful.Container, checks ...HealthChecker) error {
|
||||
if len(checks) == 0 {
|
||||
klog.V(4).Info("No default health checks specified. Installing the ping handler.")
|
||||
checks = []HealthChecker{PingHealthz}
|
||||
}
|
||||
return AddToContainer(container, "/healthz", checks...)
|
||||
}
|
||||
|
||||
func InstallLivezHandler(container *restful.Container, checks ...HealthChecker) error {
|
||||
if len(checks) == 0 {
|
||||
klog.V(4).Info("No default health checks specified. Installing the ping handler.")
|
||||
checks = []HealthChecker{PingHealthz}
|
||||
}
|
||||
return AddToContainer(container, "/livez", checks...)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user