Disable proxy to loopback and linklocal #71980
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
sig/network
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/test pull-kubernetes-e2e-kops-aws |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lavalamp, micahhausler The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/test pull-kubernetes-e2e-kops-aws |
| {"127.0.0.2", ErrAddressNotAllowed}, | ||
| {"169.254.169.254", ErrAddressNotAllowed}, | ||
| {"169.254.1.1", ErrAddressNotAllowed}, | ||
| {"224.0.0.0", ErrAddressNotAllowed}, |
There was a problem hiding this comment.
it would be helpful to say in the comment why the above CIDR's are not allowed ?
|
|
||
| if err := proxyutil.IsProxyableIP(pod.Status.PodIP); err != nil { | ||
| return nil, nil, errors.NewBadRequest(err.Error()) | ||
| } |
There was a problem hiding this comment.
how can pod.Status.PodIP be not proxyable ? If so , isnt the fix required in CNI or whatever component assigns the Pod IP @kubernetes/sig-network-api-reviews
k8s-ci-robot
added
the
kind/api-change
|
/test pull-kubernetes-e2e-kops-aws |
…#71980-upstream-release-1.13 Automated cherry pick of #71980: Disable proxy to loopback and linklocal
…#71980-upstream-release-1.12 Automated cherry pick of #71980: Disable proxy to loopback and linklocal
…#71980-upstream-release-1.10 Automated cherry pick of #71980: Disable proxy to loopback and linklocal
…#71980-upstream-release-1.11 Automated cherry pick of #71980: Disable proxy to loopback and linklocal
|
is there any genuine reason why the api-server should be proxying to addresses not belonging to the pod cidr or service cidr? Should this just reject addresses not in the pod cidr or service-ip cidr? EDIT: I figured aggregated apis and friends, regardless I believe the apiserver should build up a whitelist that includes the domain names of the aggregated apis, pod-ips and service-ips and use that to make decision and not blacklist a few ip cidrs |
|
@bjhaid Nodes can also be proxied, and their IPs are not know to the API server, except what is self-reported |
Nodes send their ip address when they register to the api-server, so this can make to the whitelist if there's an internal whitelist I am curious what is the use case for proxying nodes? |
What if I register a fake node with a malicious IP address? What about nodes that are in legitimate but
I believe node proxy is mostly for debugging (See list of kubelet endpoints here). In addition to proxy, the API server reaches out to nodes for all kinds of operations (pod proxy, logs, exec, etc). |
I'll love to see this happen, is there some related issue tracking this?
Thanks! |
5 participants
What type of PR is this?
/kind bug
What this PR does / why we need it:
Disable proxy to loopback and linklocal
Special notes for your reviewer:
Does this PR introduce a user-facing change?: