From 970eb5e7842351283b707e4230f6500d1c3a4ebc Mon Sep 17 00:00:00 2001 From: Rhea Ghosh Date: Wed, 1 Nov 2023 13:15:57 -0500 Subject: [PATCH] cmd/k8s-operator: sanitize connection headers (#10063) Fixes tailscale/corp#15526 Signed-off-by: Rhea Ghosh --- cmd/k8s-operator/proxy.go | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/cmd/k8s-operator/proxy.go b/cmd/k8s-operator/proxy.go index 4ece359c4..ec1027e09 100644 --- a/cmd/k8s-operator/proxy.go +++ b/cmd/k8s-operator/proxy.go @@ -166,10 +166,11 @@ func runAPIServerProxy(s *tsnet.Server, rt http.RoundTripper, logf logger.Logf, logf: logf, lc: lc, rp: &httputil.ReverseProxy{ - Director: func(r *http.Request) { + Rewrite: func(r *httputil.ProxyRequest) { // Replace the URL with the Kubernetes APIServer. - r.URL.Scheme = u.Scheme - r.URL.Host = u.Host + + r.Out.URL.Scheme = u.Scheme + r.Out.URL.Host = u.Host if mode == apiserverProxyModeNoAuth { // If we are not providing authentication, then we are just // proxying to the Kubernetes API, so we don't need to do @@ -184,18 +185,18 @@ func runAPIServerProxy(s *tsnet.Server, rt http.RoundTripper, logf logger.Logf, // Out of paranoia, remove all authentication headers that might // have been set by the client. - r.Header.Del("Authorization") - r.Header.Del("Impersonate-Group") - r.Header.Del("Impersonate-User") - r.Header.Del("Impersonate-Uid") - for k := range r.Header { + r.Out.Header.Del("Authorization") + r.Out.Header.Del("Impersonate-Group") + r.Out.Header.Del("Impersonate-User") + r.Out.Header.Del("Impersonate-Uid") + for k := range r.Out.Header { if strings.HasPrefix(k, "Impersonate-Extra-") { - r.Header.Del(k) + r.Out.Header.Del(k) } } // Now add the impersonation headers that we want. - if err := addImpersonationHeaders(r); err != nil { + if err := addImpersonationHeaders(r.Out); err != nil { panic("failed to add impersonation headers: " + err.Error()) } },