k3s/control at 7fb1797fd3746727a0043433093116e6c138d70b - k3s

Mirror/k3s

mirror of https://github.com/k3s-io/k3s.git synced 2024-06-07 19:41:36 +00:00

History

Euan Kemp 4808c4e7d5 Listen insecurely on localhost only Before this change, k3s configured the scheduler and controller's insecure ports to listen on 0.0.0.0. Those ports include pprof, which provides a DoS vector at the very least. These ports are only enabled for componentstatus checks in the first place, and componentstatus is hardcoded to only do the check on localhost anyway (see https://github.com/kubernetes/kubernetes/blob/v1.18.2/pkg/registry/core/rest/storage_core.go#L341-L344), so there shouldn't be any downside to switching them to listen only on localhost.	2020-08-05 10:28:11 -07:00
..
server.go	Listen insecurely on localhost only	2020-08-05 10:28:11 -07:00
tunnel.go	If tunnel session does not exist fallback to default dialer	2020-01-22 11:04:41 -07:00

Euan Kemp 4808c4e7d5 Listen insecurely on localhost only

Before this change, k3s configured the scheduler and controller's
insecure ports to listen on 0.0.0.0. Those ports include pprof, which
provides a DoS vector at the very least.

These ports are only enabled for componentstatus checks in the first
place, and componentstatus is hardcoded to only do the check on
localhost anyway (see
https://github.com/kubernetes/kubernetes/blob/v1.18.2/pkg/registry/core/rest/storage_core.go#L341-L344),
so there shouldn't be any downside to switching them to listen only on
localhost.

2020-08-05 10:28:11 -07:00

server.go

Listen insecurely on localhost only

2020-08-05 10:28:11 -07:00

tunnel.go

If tunnel session does not exist fallback to default dialer

2020-01-22 11:04:41 -07:00