[WIP] KEP: make RESTClient not to follow redirects by default

[knight42]

Signed-off-by: knight42 anonymousknight96@gmail.com

Motivation: kubernetes/kubernetes#93129

Fixes: #1906

Rendered

/cc @liggitt

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: knight42
To complete the pull request process, please assign lavalamp
You can assign the PR to them by writing /assign @lavalamp in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/sig-api-machinery/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

@knight42: The following test failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
pull-enhancements-verify	76571eb	link	/test pull-enhancements-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[pwittrock]

Would the linked example of the type of vulnerability this is trying to prevent have been mitigated by preventing redirects in the apiserver outgoing request, but continuing to follow them in the kubectl client?

We could also expose this as an option in the kubeconfig rather than providing it as a flag.

[pwittrock]

Could this be a list of regular expressions of URI's it will follow. For example the client may expect redirects for a set of hosts, but not arbitrary redirects to the public internet.

[pwittrock]

We could rollout this out as "deprecating redirect following" -- e.g. start with logging warnings to stderr in cases that would begin to fail in a future release, and make it opt-in. Then in a subsequent release make it opt-out. This way folks will have some indication that things will start to fail for them and be able to take action ahead of time.

[pwittrock]

Have we seen examples that are not apiserver -> kubelet requests? We could start by disabling redirects for requests made by the apiserver rather than for all clients, or disabling redirects for requests made to the kubelet endpoints that are result in exploits.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community.
/close

[k8s-ci-robot]

@fejta-bot: Closed this PR.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-contributor-experience at kubernetes/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.