DevFW-CICD/ingress-nginx-helm
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove localhost calls from external names

Browse source 
Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
This commit is contained in:
Ricardo Pchevuzinske Katz 2021-04-30 00:24:28 -03:00
parent 22ae0d3848
commit 0dceedfad7
6 changed files with 74 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/ci.yaml vendored
View file

@ -159,7 +159,7 @@ jobs:
strategy: strategy:
matrix: matrix:
k8s: [v1.16.15, v1.17.17, v1.18.19, v1.19.11, v1.20.7, v1.21.0] k8s: [v1.16.15, v1.17.17, v1.18.15, v1.19.7, v1.20.2]
steps: steps:

6
internal/ingress/controller/endpoints.go
View file

@ -50,6 +50,12 @@ func getEndpoints(s *corev1.Service, port *corev1.ServicePort, proto corev1.Prot
// ExternalName services // ExternalName services
if s.Spec.Type == corev1.ServiceTypeExternalName { if s.Spec.Type == corev1.ServiceTypeExternalName {
if ip := net.ParseIP(s.Spec.ExternalName); s.Spec.ExternalName == "localhost" ||
(ip != nil && ip.IsLoopback()) {
klog.Errorf("Invalid attempt to use localhost name %s in %q", s.Spec.ExternalName, svcKey)
return upsServers
}
klog.V(3).Infof("Ingress using Service %q of type ExternalName.", svcKey) klog.V(3).Infof("Ingress using Service %q of type ExternalName.", svcKey)
targetPort := port.TargetPort.IntValue() targetPort := port.TargetPort.IntValue()
// if the externalName is not an IP address we need to validate is a valid FQDN // if the externalName is not an IP address we need to validate is a valid FQDN

48
internal/ingress/controller/endpoints_test.go
View file

@ -78,6 +78,54 @@ func TestGetEndpoints(t *testing.T) {
}, },
[]ingress.Endpoint{}, []ingress.Endpoint{},
}, },
{
"a service type ServiceTypeExternalName service with localhost in name should return 0 endpoint",
&corev1.Service{
Spec: corev1.ServiceSpec{
Type: corev1.ServiceTypeExternalName,
ExternalName: "localhost",
Ports: []corev1.ServicePort{
{
Name: "default",
TargetPort: intstr.FromInt(443),
},
},
},
},
&corev1.ServicePort{
Name: "default",
TargetPort: intstr.FromInt(80),
},
corev1.ProtocolTCP,
func(string) (*corev1.Endpoints, error) {
return &corev1.Endpoints{}, nil
},
[]ingress.Endpoint{},
},
{
"a service type ServiceTypeExternalName service with 127.0.0.1 in name should return 0 endpoint",
&corev1.Service{
Spec: corev1.ServiceSpec{
Type: corev1.ServiceTypeExternalName,
ExternalName: "127.0.0.1",
Ports: []corev1.ServicePort{
{
Name: "default",
TargetPort: intstr.FromInt(443),
},
},
},
},
&corev1.ServicePort{
Name: "default",
TargetPort: intstr.FromInt(80),
},
corev1.ProtocolTCP,
func(string) (*corev1.Endpoints, error) {
return &corev1.Endpoints{}, nil
},
[]ingress.Endpoint{},
},
{ {
"a service type ServiceTypeExternalName with a valid port should return one endpoint", "a service type ServiceTypeExternalName with a valid port should return one endpoint",
&corev1.Service{ &corev1.Service{

8
rootfs/etc/nginx/lua/balancer.lua
View file

@ -35,6 +35,9 @@ local IMPLEMENTATIONS = {
ewma = ewma, ewma = ewma,
} }
local PROHIBITED_LOCALHOST_PORT = configuration.prohibited_localhost_port or '10246'
local PROHIBITED_PEER_PATTERN = "^127.*:" .. PROHIBITED_LOCALHOST_PORT .. "$"
local _M = {} local _M = {}
local balancers = {} local balancers = {}
local backends_with_external_name = {} local backends_with_external_name = {}
@ -317,6 +320,11 @@ function _M.balance()
return return
end end
if peer:match(PROHIBITED_PEER_PATTERN) then
ngx.log(ngx.ERR, "attempted to proxy to self, balancer: ", balancer.name, ", peer: ", peer)
return
end
ngx_balancer.set_more_tries(1) ngx_balancer.set_more_tries(1)
local ok, err = ngx_balancer.set_current_peer(peer) local ok, err = ngx_balancer.set_current_peer(peer)

8
rootfs/etc/nginx/lua/tcp_udp_balancer.lua
View file

@ -25,6 +25,9 @@ local IMPLEMENTATIONS = {
round_robin = round_robin round_robin = round_robin
} }
local PROHIBITED_LOCALHOST_PORT = configuration.prohibited_localhost_port or '10246'
local PROHIBITED_PEER_PATTERN = "^127.*:" .. PROHIBITED_LOCALHOST_PORT .. "$"
local _M = {} local _M = {}
local balancers = {} local balancers = {}
local backends_with_external_name = {} local backends_with_external_name = {}
@ -181,6 +184,11 @@ function _M.balance()
return return
end end
if peer:match(PROHIBITED_PEER_PATTERN) then
ngx.log(ngx.ERR, "attempted to proxy to self, balancer: ", balancer.name, ", peer: ", peer)
return
end
ngx_balancer.set_more_tries(1) ngx_balancer.set_more_tries(1)
local ok, err = ngx_balancer.set_current_peer(peer) local ok, err = ngx_balancer.set_current_peer(peer)

3
rootfs/etc/nginx/template/nginx.tmpl
View file

@ -84,6 +84,7 @@ http {
error("require failed: " .. tostring(res)) error("require failed: " .. tostring(res))
else else
configuration = res configuration = res
configuration.prohibited_localhost_port = '{{ .StatusPort }}'
end end
ok, res = pcall(require, "balancer") ok, res = pcall(require, "balancer")
@ -713,6 +714,8 @@ stream {
error("require failed: " .. tostring(res)) error("require failed: " .. tostring(res))
else else
tcp_udp_configuration = res tcp_udp_configuration = res
tcp_udp_configuration.prohibited_localhost_port = '{{ .StatusPort }}'
end end
ok, res = pcall(require, "tcp_udp_balancer") ok, res = pcall(require, "tcp_udp_balancer")