Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kube-rbac-proxy segfaults when no client-ca is configured but client-cert auth is attempted #131

Closed
stlaz opened this issue Jul 15, 2021 · 1 comment · Fixed by #132
Closed

kube-rbac-proxy segfaults when no client-ca is configured but client-cert auth is attempted #131

stlaz opened this issue Jul 15, 2021 · 1 comment · Fixed by #132

Comments

@stlaz
Copy link
Collaborator

stlaz commented Jul 15, 2021

When a 3rd party attempts to use client-certificate authentication, kube-rbac-proxy will panic if it does not have any client CAs configured.

The observed panic:

goroutine 7 [running]:
net/http.(*conn).serve.func1(0xc00041e000)
	/usr/lib/golang/src/net/http/server.go:1824 +0x153
panic(0x1585460, 0x22749a0)
	/usr/lib/golang/src/runtime/panic.go:971 +0x499
k8s.io/apiserver/pkg/server/dynamiccertificates.(*DynamicFileCAContent).VerifyOptions(0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
	/go/src/github.com/brancz/kube-rbac-proxy/vendor/k8s.io/apiserver/pkg/server/dynamiccertificates/dynamic_cafile_content.go:220 +0x58
k8s.io/apiserver/pkg/authentication/request/x509.(*Authenticator).AuthenticateRequest(0xc000504738, 0xc00042c200, 0xa65, 0x418b00, 0x0, 0x0)
	/go/src/github.com/brancz/kube-rbac-proxy/vendor/k8s.io/apiserver/pkg/authentication/request/x509/x509.go:116 +0x87
k8s.io/apiserver/pkg/authentication/request/union.(*unionAuthRequestHandler).AuthenticateRequest(0xc00004bb60, 0xc00042c200, 0x414688, 0xc0000197c8, 0x249a006a, 0x31b6d74a11797403)
	/go/src/github.com/brancz/kube-rbac-proxy/vendor/k8s.io/apiserver/pkg/authentication/request/union/union.go:56 +0xa8
k8s.io/apiserver/pkg/authentication/group.(*AuthenticatedGroupAdder).AuthenticateRequest(0xc000631e80, 0xc00042c200, 0xc0000198e8, 0x14, 0x20, 0x1)
	/go/src/github.com/brancz/kube-rbac-proxy/vendor/k8s.io/apiserver/pkg/authentication/group/authenticated_group_adder.go:40 +0x55
github.com/brancz/kube-rbac-proxy/pkg/authn.(*DelegatingAuthenticator).AuthenticateRequest(0xc000504750, 0xc00042c200, 0xc0000198e8, 0xc0000198fb, 0xc0000198c0, 0xc0000198d0)
	/go/src/github.com/brancz/kube-rbac-proxy/pkg/authn/delegating.go:69 +0x3e
github.com/brancz/kube-rbac-proxy/pkg/proxy.(*kubeRBACProxy).Handle(0xc000115780, 0x192dbb0, 0xc0005362a0, 0xc00042c200, 0x17ec5b8)
	/go/src/github.com/brancz/kube-rbac-proxy/pkg/proxy/proxy.go:71 +0xa3
main.main.func1(0x192dbb0, 0xc0005362a0, 0xc00042c200)
	/go/src/github.com/brancz/kube-rbac-proxy/main.go:250 +0x132
net/http.HandlerFunc.ServeHTTP(0xc00004bbe0, 0x192dbb0, 0xc0005362a0, 0xc00042c200)
	/usr/lib/golang/src/net/http/server.go:2069 +0x44
net/http.(*ServeMux).ServeHTTP(0xc0001157c0, 0x192dbb0, 0xc0005362a0, 0xc00042c200)
	/usr/lib/golang/src/net/http/server.go:2448 +0x1ad
net/http.serverHandler.ServeHTTP(0xc0005369a0, 0x192dbb0, 0xc0005362a0, 0xc00042c200)
	/usr/lib/golang/src/net/http/server.go:2887 +0xa3
net/http.(*conn).serve(0xc00041e000, 0x1930020, 0xc000474d00)
	/usr/lib/golang/src/net/http/server.go:1952 +0x8cd
created by net/http.(*Server).Serve
	/usr/lib/golang/src/net/http/server.go:3013 +0x39b
2021/07/14 10:05:45 http: panic serving 10.128.2.12:51994: runtime error: invalid memory address or nil pointer dereference
@stlaz stlaz mentioned this issue Jul 15, 2021
Merged
@simonpasquier
Copy link
Contributor

Good catch! I came to the same conclusion while investigating the failures but you were faster :)

@stlaz stlaz mentioned this issue Jul 19, 2021
Merged
@s-urbaniak s-urbaniak mentioned this issue Jul 26, 2021
Closed
@paulfantom paulfantom mentioned this issue Jul 27, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Prevent panics on client-cert authenticated requests stlaz/kube-rbac-proxy
2 participants
@stlaz @simonpasquier