Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit redirect proxy handling to redirected responses #112526

Merged
merged 1 commit into from Sep 17, 2022
Merged

Limit redirect proxy handling to redirected responses #112526

merged 1 commit into from Sep 17, 2022

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Sep 17, 2022

What type of PR is this?

/kind bug
/kind regression

What this PR does / why we need it:

Resolved the regression in #112193 by limiting redirect handling to actually redirected requests.

/cc @enj @deads2k
cc @jindijamie

Which issue(s) this PR fixes:

Fixes #112524

Special notes for your reviewer:

Does this PR introduce a user-facing change?

kube-apiserver: resolved a regression that treated `304 Not Modified` responses from aggregated API servers as internal errors

/sig api-machinery
/priority critical-urgent
/kind bug
/kind regression

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. kind/bug Categorizes issue or PR as related to a bug. kind/regression Categorizes issue or PR as related to a regression from a prior release. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 17, 2022
@liggitt liggitt mentioned this pull request Sep 17, 2022
Closed
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 17, 2022
This was referenced Sep 17, 2022
Merged
Merged
Merged
Merged
@liggitt
Copy link
Member Author

liggitt commented Sep 17, 2022

/retest

@dims
Copy link
Member

dims commented Sep 17, 2022

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 17, 2022
@dims
Copy link
Member

dims commented Sep 17, 2022

LGTM, not doing the usual /lgtm as it's too late on fri and you probably need the other folks you have cc'ed :)

thanks @liggitt

enj
enj reviewed Sep 17, 2022
View reviewed changes
staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
@@ -263,7 +263,7 @@ func (h *UpgradeAwareHandler) ServeHTTP(w http.ResponseWriter, req *http.Request
oldModifyResponse := proxy.ModifyResponse
proxy.ModifyResponse = func(response *http.Response) error {
code := response.StatusCode
if code >= 300 && code <= 399 {
if code >= 300 && code <= 399 && len(response.Header.Get("Location")) > 0 {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does a client do if it gets a location header that is actually set to empty string?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

304 according to the test case :)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://pkg.go.dev/net/http#Header.Get

Get gets the first value associated with the given key. If there are no values associated with the key, Get returns "".

Same as as if it was unset.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would be comfortable assuming all reasonable clients don't pick arbitrary other hostile URLs to redirect to :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Go seems to do the right thing here:

https://github.com/golang/go/blob/7c87012f041948af55d323fc5447230c930e79aa/src/net/http/client.go#L501-L531
https://github.com/golang/go/blob/7c87012f041948af55d323fc5447230c930e79aa/src/net/http/client.go#L631-L637

@enj
Copy link
Member

enj commented Sep 17, 2022

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 17, 2022
@enj
Copy link
Member

enj commented Sep 17, 2022

We should update the integration test in a separate PR :)

@k8s-ci-robot k8s-ci-robot merged commit 4ff1369 into kubernetes:master Sep 17, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.26 milestone Sep 17, 2022
k8s-ci-robot added a commit that referenced this pull request Sep 19, 2022
@k8s-ci-robot
Merge pull request #112530 from liggitt/automated-cherry-pick-of-#112…
6a92531 
…526-upstream-release-1.22

Automated cherry pick of #112526: Limit redirect proxy handling to redirected responses
k8s-ci-robot added a commit that referenced this pull request Sep 19, 2022
@k8s-ci-robot
Merge pull request #112528 from liggitt/automated-cherry-pick-of-#112…
2e1922d 
…526-upstream-release-1.24

Automated cherry pick of #112526: Limit redirect proxy handling to redirected responses
k8s-ci-robot added a commit that referenced this pull request Sep 19, 2022
@k8s-ci-robot
Merge pull request #112527 from liggitt/automated-cherry-pick-of-#112…
ded127c 
…526-upstream-release-1.25

Automated cherry pick of #112526: Limit redirect proxy handling to redirected responses
k8s-ci-robot added a commit that referenced this pull request Sep 19, 2022
@k8s-ci-robot
Merge pull request #112529 from liggitt/automated-cherry-pick-of-#112…
ff13745 
…526-upstream-release-1.23

Automated cherry pick of #112526: Limit redirect proxy handling to redirected responses
This was referenced Sep 27, 2022
Closed
Closed
@enj enj mentioned this pull request Sep 28, 2022
Open
@liggitt liggitt deleted the redirect branch November 26, 2022 22:51
@liggitt liggitt mentioned this pull request Sep 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dims dims dims left review comments

@brandond brandond brandond left review comments

@enj enj enj left review comments

@deads2k deads2k Awaiting requested review from deads2k

Assignees

@enj enj

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. kind/regression Categorizes issue or PR as related to a regression from a prior release. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.26
Development

Successfully merging this pull request may close these issues.

apiserver aggregation redirect rejection incorrectly fails on 304 Not Modified responses
5 participants
@liggitt @k8s-ci-robot @dims @enj @brandond