Skip to content

Handle error responses from backends #71412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
k8s-ci-robot merged 1 commit into from
Nov 26, 2018
Merged

Handle error responses from backends #71412

k8s-ci-robot merged 1 commit into from
Nov 26, 2018
+37 −0

Conversation

@liggitt
Copy link
Member

@liggitt liggitt commented Nov 26, 2018

What type of PR is this?
/kind bug

What this PR does / why we need it:
Handles error responses from backends

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #71411

Does this PR introduce a user-facing change?:

Fixes an issue with stuck connections handling error responses

/sig api-machinery
/cc sttts

@k8s-ci-robot k8s-ci-robot requested a review from sttts November 26, 2018 11:09
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Nov 26, 2018
@liggitt liggitt added this to the v1.13 milestone Nov 26, 2018
@liggitt liggitt added priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Nov 26, 2018
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 26, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 26, 2018
@liggitt liggitt changed the title Handles error responses from backends Handle error responses from backends Nov 26, 2018
This was referenced Nov 26, 2018
Merged
Merged
Merged
@liggitt
Copy link
Member Author

liggitt commented Nov 26, 2018

/retest

@sttts
Copy link
Contributor

sttts commented Nov 26, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 26, 2018
@k8s-ci-robot k8s-ci-robot merged commit 2257c1e into kubernetes:master Nov 26, 2018
k8s-ci-robot added a commit that referenced this pull request Nov 26, 2018
@k8s-ci-robot
Merge pull request #71414 from liggitt/backend-error-1.11
753b2db 
Cherry pick of #71412: Handle error responses from backends
k8s-ci-robot added a commit that referenced this pull request Nov 26, 2018
@k8s-ci-robot
Merge pull request #71415 from liggitt/backend-error-1.10
637c7e2 
Cherry pick of #71412: Handle error responses from backends
k8s-ci-robot added a commit that referenced this pull request Nov 26, 2018
@k8s-ci-robot
Merge pull request #71413 from liggitt/backend-error-1.12
435f92c 
Cherry pick of #71412: Handle error responses from backends
@liggitt liggitt deleted the backend-error branch November 26, 2018 14:14
@jennybuckley
Copy link

jennybuckley commented Nov 26, 2018

/cc @wenjiaswe

@tossmilestone
Copy link
Contributor

tossmilestone commented Dec 4, 2018

@liggitt Can I cherry-pick your change to our 1.9.x k8s to fix the issue?

@liggitt
Copy link
Member Author

liggitt commented Dec 4, 2018
edited
Loading

The 1.10 commit (#71415) would be a better one to pick to 1.9, just to avoid file drift issues (the change itself is fundamentally the same)

@cizixs
Copy link

cizixs commented Dec 4, 2018

@liggitt Why does this MR fixes #71411.

Seems to me this only handles connection upgrade error. And only the connection is established, client can still send any request skipping authorization.

@dims dims mentioned this pull request Dec 5, 2018
Closed
@pdhung
Copy link

pdhung commented Dec 5, 2018
edited
Loading

cizisx:
@liggitt Why does this MR fixes #71411.

Seems to me this only handles connection upgrade error. And only the connection is established, client can still send any request skipping authorization.

As far as I understand, in the buggy version, the connection upgrade error was not handled correctly when it happens, and the backend connection is left open, which leaves subsequent request to pass through to kubelet unchecked/unauthorized. Since API server authenticates to kubelet as cluster-admin, it allows attacker to run any API on kubelet.
This PR rectifies the problem by closing the backend connection.

waynr pushed a commit to rcbops/kubernetes that referenced this pull request Dec 5, 2018
@k8s-ci-robot @waynr
Merge pull request kubernetes#71415 from liggitt/backend-error-1.10
1c078b8 
Cherry pick of kubernetes#71412: Handle error responses from backends
waynr pushed a commit to rcbops/kubernetes that referenced this pull request Dec 5, 2018
@k8s-ci-robot @waynr
Merge pull request kubernetes#71415 from liggitt/backend-error-1.10
cb74b4f 
Cherry pick of kubernetes#71412: Handle error responses from backends
@hoshsadiq hoshsadiq mentioned this pull request Dec 6, 2018
Closed
@moonek
Copy link
Contributor

moonek commented Dec 10, 2018

We noticed that this change only applies to the following releases.
v1.10.11
v1.11.5
v1.12.3
v1.13.0-rc.1

Our old environment is using k8s 1.8.4.
We are considering an upgrade k8s version, but it takes time.
So I want to hotfix this commit until then.

Does the k8s 1.8.4 source rebuild solve #71411 vulnerability by only reflecting this commit?

When checked with the test utility below, it appears to be resolved.
https://github.com/gravitational/cve-2018-1002105

@liggitt
Copy link
Member Author

liggitt commented Dec 11, 2018

@moonek yes, this commit addresses #71411

@cheftako cheftako mentioned this pull request Dec 28, 2018
Closed
@liggitt liggitt mentioned this pull request Sep 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sttts sttts Awaiting requested review from sttts

@wenjiaswe wenjiaswe Awaiting requested review from wenjiaswe

Assignees

@sttts sttts

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

v1.13

Development

Successfully merging this pull request may close these issues.

CVE-2018-1002105: proxy request handling in kube-apiserver can leave vulnerable TCP connections

9 participants

@liggitt @k8s-ci-robot @sttts @jennybuckley @tossmilestone @cizixs @pdhung @moonek @mgalgs