security: restrict anonymous access to the /kapis/version endpoint (#2107)

Signed-off-by: hongming <coder.scala@gmail.com>
2025-03-19 12:06:43 +08:00
parent a1a6abca4f
commit c438adedeb
6 changed files with 15 additions and 15 deletions
--- a/config/ks-core/templates/ks-apiserver.yaml
+++ b/config/ks-core/templates/ks-apiserver.yaml
@@ -85,7 +85,7 @@ spec:
          livenessProbe:
            failureThreshold: 8
            httpGet:
-              path: /version
+              path: /livez
              port: 9090
            {{- if .Values.internalTLS }}
              scheme: HTTPS
--- a/pkg/apiserver/apiserver.go
+++ b/pkg/apiserver/apiserver.go
@@ -120,6 +120,7 @@ func (s *APIServer) PrepareRun(stopCh <-chan struct{}) error {
 	s.installKubeSphereAPIs()
 	s.installMetricsAPI()
 	s.installHealthz()
+	s.installLivez()
 	if err := s.installOpenAPI(); err != nil {
 		return err
 	}
@@ -198,7 +199,12 @@ func (s *APIServer) installKubeSphereAPIs() {

 // installHealthz creates the healthz endpoint for this server
 func (s *APIServer) installHealthz() {
-	urlruntime.Must(healthz.InstallHandler(s.container, []healthz.HealthChecker{}...))
+	urlruntime.Must(healthz.InstallHandler(s.container))
+}
+
+// installLivez creates the livez endpoint for this server
+func (s *APIServer) installLivez() {
+	urlruntime.Must(healthz.InstallLivezHandler(s.container))
 }

 func (s *APIServer) Run(ctx context.Context) (err error) {
@@ -262,7 +268,7 @@ func (s *APIServer) buildHandlerChain(handler http.Handler, stopCh <-chan struct
 	default:
 		fallthrough
 	case authorization.RBAC:
-		excludedPaths := []string{"/oauth/*", "/dist/*", "/.well-known/openid-configuration", "/kapis/version", "/version", "/metrics", "/healthz", "/openapi/v2", "/openapi/v3"}
+		excludedPaths := []string{"/oauth/*", "/dist/*", "/.well-known/openid-configuration", "/version", "/metrics", "/livez", "/healthz", "/openapi/v2", "/openapi/v3"}
 		pathAuthorizer, _ := path.NewAuthorizer(excludedPaths)
 		amOperator := am.NewReadOnlyOperator(s.ResourceManager)
 		authorizers = unionauthorizer.New(pathAuthorizer, rbac.NewRBACAuthorizer(amOperator))
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -22,7 +22,6 @@ import (
 	"kubesphere.io/kubesphere/pkg/controller/options"
 	"kubesphere.io/kubesphere/pkg/models/composedapp"
 	"kubesphere.io/kubesphere/pkg/models/kubeconfig"
-	"kubesphere.io/kubesphere/pkg/models/ratelimiter"
 	"kubesphere.io/kubesphere/pkg/models/terminal"
 	"kubesphere.io/kubesphere/pkg/multicluster"
 	"kubesphere.io/kubesphere/pkg/simple/client/cache"
--- a/pkg/controller/cluster/cluster_controller.go
+++ b/pkg/controller/cluster/cluster_controller.go
@@ -459,7 +459,7 @@ func (r *Reconciler) tryFetchKubeSphereVersion(ctx context.Context, cluster *clu
 		port = "443"
 	}
 	response, err := clusterClient.KubernetesClient.CoreV1().Services(constants.KubeSphereNamespace).
-		ProxyGet(scheme, constants.KubeSphereAPIServerName, port, "/kapis/version", nil).
+		ProxyGet(scheme, constants.KubeSphereAPIServerName, port, "/version", nil).
 		DoRaw(ctx)
 	if err != nil {
 		return "", err
--- a/pkg/kapis/version/register.go
+++ b/pkg/kapis/version/register.go
@@ -38,7 +38,7 @@ func (h *handler) AddToContainer(container *restful.Container) error {
 	versionFunc := func(request *restful.Request, response *restful.Response) {
 		ksVersion := version.Get()
 		ksVersion.Kubernetes = h.k8sVersionInfo
-		response.WriteAsJson(ksVersion)
+		_ = response.WriteAsJson(ksVersion)
 	}
 	legacy.Route(legacy.GET("/version").
 		To(versionFunc).
--- a/pkg/server/healthz/healthz.go
+++ b/pkg/server/healthz/healthz.go
@@ -21,29 +21,24 @@ import (
 )

 func AddToContainer(container *restful.Container, path string, checks ...HealthChecker) error {
+	if len(checks) == 0 {
+		klog.V(4).Info("No default health checks specified. Installing the ping handler.")
+		checks = []HealthChecker{PingHealthz}
+	}
 	name := strings.Split(strings.TrimPrefix(path, "/"), "/")[0]
 	container.Handle(path, handleRootHealth(name, nil, checks...))

 	for _, check := range checks {
 		container.Handle(fmt.Sprintf("%s/%v", path, check.Name()), adaptCheckToHandler(check))
 	}
-
 	return nil
 }

 func InstallHandler(container *restful.Container, checks ...HealthChecker) error {
-	if len(checks) == 0 {
-		klog.V(4).Info("No default health checks specified. Installing the ping handler.")
-		checks = []HealthChecker{PingHealthz}
-	}
 	return AddToContainer(container, "/healthz", checks...)
 }

 func InstallLivezHandler(container *restful.Container, checks ...HealthChecker) error {
-	if len(checks) == 0 {
-		klog.V(4).Info("No default health checks specified. Installing the ping handler.")
-		checks = []HealthChecker{PingHealthz}
-	}
 	return AddToContainer(container, "/livez", checks...)
 }