search

argoproj / argo-events

Event-driven Automation Framework for Kubernetes
https://argoproj.github.io/argo-events/
Apache License 2.0
2.37k stars 738 forks source link

Argo Events Kubernetes Admission Webhook Denial of Service #3077

Closed whynowy closed 5 months ago

whynowy commented 7 months ago

Describe the bug send a large, crafted request and make the webhook crash due to OOMKill.

To replicate, please deploy Argo Events with the validating admission webhook. Then, port-forward to it:

kubectl port-forward svc/events-webhook 6443:443 -n argo-events

Then, run the PoC:

https://gist.github.com/jake-ciolek/9c86868cf71423a6b4cb6ff592181f51

via:

go run .

The webhook pod will crash after reading too much data. The workaround would be to implement its server with a LimitReader.

Thank you, Jakub Ciolek

Additional context Add any other context about the problem here.

Message from the maintainers:

If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.

github-actions[bot] commented 5 months ago

This issue has been automatically marked as stale because it has not had any activity in the last 60 days. It will be closed if no further activity occurs. Thank you for your contributions.