upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-05-28 04:04:39 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

kubeadm: validate HTTP status when fetching cluster-info over HTTPS

Browse source 
RetrieveValidatedConfigInfo previously read the response body of the
cluster-info HTTP GET unconditionally, then attempted to parse it as a
kubeconfig. A non-200 response (e.g. 404, 5xx, or an HTML error page
from a misconfigured server) would silently flow into clientcmd.Load()
and produce a confusing parse error far from the actual cause.

Match the pattern already used in cmd/kubeadm/app/util/version.go and
return a clear error if the server responds with anything other than
200 OK.
This commit is contained in:
alexmchughdev 2026-05-07 12:13:47 +01:00
parent 43fe7b4250
commit fae25b2bb3
1 changed files with 12 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
cmd/kubeadm/app/discovery/https/https.go
View file

@ -26,11 +26,16 @@ import (
clientcmdapi "k8s.io/client-go/tools/clientcmd/api"
"k8s.io/kubernetes/cmd/kubeadm/app/discovery/file"
"k8s.io/kubernetes/cmd/kubeadm/app/util/errors"
)
// RetrieveValidatedConfigInfo connects to the API Server and makes sure it can talk
// securely to the API Server using the provided CA cert and
// optionally refreshes the cluster-info information from the cluster-info ConfigMap
// RetrieveValidatedConfigInfo downloads a discovery kubeconfig from the given
// HTTPS URL and hands it to file.ValidateConfigInfo for the cluster-info
// ConfigMap validation that completes discovery. The HTTPS connection itself
// is verified only against the host's default TLS trust store; kubeadm does
// not pin to a caller-supplied CA at this stage, so the kubeconfig payload is
// retrieved from an effectively arbitrary location and only becomes trusted
// after file.ValidateConfigInfo succeeds.
func RetrieveValidatedConfigInfo(httpsURL string, discoveryTimeout time.Duration) (*clientcmdapi.Config, error) {
client := &http.Client{Transport: netutil.SetOldTransportDefaults(&http.Transport{})}
response, err := client.Get(httpsURL)
@ -39,6 +44,10 @@ func RetrieveValidatedConfigInfo(httpsURL string, discoveryTimeout time.Duration
}
defer response.Body.Close()
if response.StatusCode != http.StatusOK {
return nil, errors.Errorf("error trying to fetch discovery kubeconfig over HTTPS from %s, received status %d", httpsURL, response.StatusCode)
}
kubeconfig, err := io.ReadAll(response.Body)
if err != nil {
return nil, err