Thanks to visit codestin.com
Credit goes to github.com

Skip to content

ClientConfig should not default to http://localhost:8080#30808

Merged
k8s-github-robot merged 1 commit into
kubernetes:masterfrom
smarterclayton:no_defaults
Aug 30, 2016
Merged

ClientConfig should not default to http://localhost:8080#30808
k8s-github-robot merged 1 commit into
kubernetes:masterfrom
smarterclayton:no_defaults

Conversation

@smarterclayton
Copy link
Copy Markdown
Contributor

@smarterclayton smarterclayton commented Aug 17, 2016
edited
Loading

This changes clientcmd to skip the default cluster, but preserves the
behavior in kubectl. This prevents the possibility of an administrator
misconfiguration in kubelet or other server component from allowing a
third party who can bind to 8080 on that host from potentially
impersonating an API server and gaining root access.

@mikedanese @deads2k this removes the defaulting of http://localhost:8080 for server from everything except kubectl.

This change is Reviewable

Kubernetes server components using `kubeconfig` files no longer default to `http://localhost:8080`.  Administrators must specify a server value in their kubeconfig files.

@deads2k
Copy link
Copy Markdown
Contributor

deads2k commented Aug 17, 2016

lgtm

@k8s-github-robot k8s-github-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. release-note-label-needed labels Aug 17, 2016
@smarterclayton smarterclayton added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-label-needed labels Aug 17, 2016
@smarterclayton
Copy link
Copy Markdown
Contributor Author

smarterclayton commented Aug 17, 2016

Added a release note.

@mikedanese
Copy link
Copy Markdown
Member

mikedanese commented Aug 17, 2016

@kubernetes/sig-api-machinery

@smarterclayton
Copy link
Copy Markdown
Contributor Author

smarterclayton commented Aug 18, 2016

Any other comments on top of David's review?

@lavalamp
Copy link
Copy Markdown
Contributor

lavalamp commented Aug 18, 2016

none from me.

@mikedanese
Copy link
Copy Markdown
Member

mikedanese commented Aug 18, 2016

lgtm

@mikedanese mikedanese added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 18, 2016
@smarterclayton smarterclayton added the priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. label Aug 20, 2016
@smarterclayton smarterclayton added this to the v1.4 milestone Aug 20, 2016
@mikedanese
Copy link
Copy Markdown
Member

mikedanese commented Aug 25, 2016

@k8s-bot ok to test, issue: #IGNORE

@k8s-github-robot k8s-github-robot mentioned this pull request Aug 25, 2016
Closed
@k8s-bot
Copy link
Copy Markdown

k8s-bot commented Aug 29, 2016

Can one of the admins verify that this patch is reasonable to test? If so, please reply "ok to test".
(Note: "add to whitelist" is no longer supported. Please update configurations in kubernetes/test-infra/jenkins/job-configs/kubernetes-jenkins-pull instead.)

This message will repeat several times in short succession due to jenkinsci/ghprb-plugin#292. Sorry.

@mikedanese
Copy link
Copy Markdown
Member

mikedanese commented Aug 30, 2016

@smarterclayton looks like this is breaking a test. Might want to take a look if you want this in v1.4

@smarterclayton
Copy link
Copy Markdown
Contributor Author

smarterclayton commented Aug 30, 2016

Ah, new code added. Will fix.

@smarterclayton smarterclayton mentioned this pull request Aug 30, 2016
Closed
@smarterclayton
ClientConfig should not default to http://localhost:8080
06cbb29 
This changes clientcmd to skip the default cluster, but preserves the
behavior in kubectl. This prevents the possibility of an administrator
misconfiguration in kubelet or other server component from allowing a
third party who can bind to 8080 on that host from potentially
impersonating an API server and gaining root access.
@k8s-github-robot k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 30, 2016
@smarterclayton
Copy link
Copy Markdown
Contributor Author

smarterclayton commented Aug 30, 2016

@k8s-bot test this issue #31706

@k8s-bot
Copy link
Copy Markdown

k8s-bot commented Aug 30, 2016

GCE e2e build/test passed for commit 06cbb29.

@smarterclayton
Copy link
Copy Markdown
Contributor Author

smarterclayton commented Aug 30, 2016

Fixed the new test the same way, reapplying label

@smarterclayton smarterclayton added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 30, 2016
@k8s-github-robot
Copy link
Copy Markdown

k8s-github-robot commented Aug 30, 2016

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

@k8s-bot
Copy link
Copy Markdown

k8s-bot commented Aug 30, 2016

GCE e2e build/test passed for commit 06cbb29.

@k8s-github-robot
Copy link
Copy Markdown

k8s-github-robot commented Aug 30, 2016

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit be859b1 into kubernetes:master Aug 30, 2016
@caesarxuchao caesarxuchao mentioned this pull request Sep 20, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@deads2k deads2k

Labels

area/security lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

v1.4

Development

Successfully merging this pull request may close these issues.

8 participants

@smarterclayton @deads2k @mikedanese @lavalamp @k8s-bot @k8s-github-robot @caesarxuchao @googlebot