From fae25b2bb399cebfbd2fe92ede214f061ce9b257 Mon Sep 17 00:00:00 2001 From: alexmchughdev Date: Thu, 7 May 2026 12:13:47 +0100 Subject: [PATCH] kubeadm: validate HTTP status when fetching cluster-info over HTTPS RetrieveValidatedConfigInfo previously read the response body of the cluster-info HTTP GET unconditionally, then attempted to parse it as a kubeconfig. A non-200 response (e.g. 404, 5xx, or an HTML error page from a misconfigured server) would silently flow into clientcmd.Load() and produce a confusing parse error far from the actual cause. Match the pattern already used in cmd/kubeadm/app/util/version.go and return a clear error if the server responds with anything other than 200 OK. --- cmd/kubeadm/app/discovery/https/https.go | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/cmd/kubeadm/app/discovery/https/https.go b/cmd/kubeadm/app/discovery/https/https.go index 18f0a0df211..6c0957f468d 100644 --- a/cmd/kubeadm/app/discovery/https/https.go +++ b/cmd/kubeadm/app/discovery/https/https.go @@ -26,11 +26,16 @@ import ( clientcmdapi "k8s.io/client-go/tools/clientcmd/api" "k8s.io/kubernetes/cmd/kubeadm/app/discovery/file" + "k8s.io/kubernetes/cmd/kubeadm/app/util/errors" ) -// RetrieveValidatedConfigInfo connects to the API Server and makes sure it can talk -// securely to the API Server using the provided CA cert and -// optionally refreshes the cluster-info information from the cluster-info ConfigMap +// RetrieveValidatedConfigInfo downloads a discovery kubeconfig from the given +// HTTPS URL and hands it to file.ValidateConfigInfo for the cluster-info +// ConfigMap validation that completes discovery. The HTTPS connection itself +// is verified only against the host's default TLS trust store; kubeadm does +// not pin to a caller-supplied CA at this stage, so the kubeconfig payload is +// retrieved from an effectively arbitrary location and only becomes trusted +// after file.ValidateConfigInfo succeeds. func RetrieveValidatedConfigInfo(httpsURL string, discoveryTimeout time.Duration) (*clientcmdapi.Config, error) { client := &http.Client{Transport: netutil.SetOldTransportDefaults(&http.Transport{})} response, err := client.Get(httpsURL) @@ -39,6 +44,10 @@ func RetrieveValidatedConfigInfo(httpsURL string, discoveryTimeout time.Duration } defer response.Body.Close() + if response.StatusCode != http.StatusOK { + return nil, errors.Errorf("error trying to fetch discovery kubeconfig over HTTPS from %s, received status %d", httpsURL, response.StatusCode) + } + kubeconfig, err := io.ReadAll(response.Body) if err != nil { return nil, err