Skip to content

Hardening URL Construction and IPv6 Support#1198

Merged
courageJ merged 1 commit into
GoogleCloudPlatform:masterfrom
courageJ:harden-url-construction-clean
May 26, 2026
Merged

Hardening URL Construction and IPv6 Support#1198
courageJ merged 1 commit into
GoogleCloudPlatform:masterfrom
courageJ:harden-url-construction-clean

Conversation

@courageJ

@courageJ courageJ commented May 20, 2026

Copy link
Copy Markdown
Contributor

Hardens URL construction for Kubelet and Controller manager metrics endpoints by replacing string interpolation with net.JoinHostPort. This ensures correct handling of IPv6 addresses (bracketing) and improves overall robustness.

Changes:

  • controller/client.go: Use net.JoinHostPort for robust /metrics endpoint construction.
  • kubelet/client.go: Use net.JoinHostPort for robust /stats/summary endpoint construction.
  • controller/client_test.go: Added unit tests for NewClient (v4, v6, hostname).
  • kubelet/client_test.go: Added unit tests for NewClient (HTTP/S, v4/v6).

Testing:

  • All new tests passed for both packages.
  • Verified correct bracketing for IPv6 in both clients via unit tests.

@courageJ courageJ requested review from JeffLuoo and erain May 20, 2026 18:08
erain
erain requested changes May 25, 2026
View reviewed changes

@erain erain left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fixes raw IPv6 literals, but it regresses the bracketed IPv6 form that users would have needed as the existing workaround, for example --kubelet-host=[2001:db8::1]. Passing that value to net.JoinHostPort double-brackets the host, producing an invalid URL. Since this flag is user-provided and the old implementation accepted bracketed IPv6, the hardening should normalize that input before joining.

Please strip one surrounding IPv6 bracket pair before calling net.JoinHostPort or add a small host-normalization helper used by both clients. Add tests for bracketed IPv6 hosts in both monitor/controller and monitor/kubelet so this does not regress again.

PROMPT for coding agent: Fix PR #1198 by adding shared host normalization for NewClient URL construction. It should accept raw IPv6, already-bracketed IPv6, IPv4, and hostnames, then call net.JoinHostPort with the normalized host. Update controller and kubelet client tests to cover bracketed IPv6 in addition to the existing raw IPv6 cases.

courageJ added a commit to courageJ/k8s-stackdriver that referenced this pull request May 25, 2026
@courageJ
Address PR GoogleCloudPlatform#1198 comments: add host normalization …
cf8a40d 
…for IPv6

- Implement NormalizeHost to strip brackets from IPv6 addresses.
- Use NormalizeHost in controller and kubelet clients.
- Add unit tests for normalization and regression tests for clients.

#gkepathfinder

PROD_RISK=low
courageJ added a commit to courageJ/k8s-stackdriver that referenced this pull request May 25, 2026
@courageJ
Address PR GoogleCloudPlatform#1198 comments: add host normalization …
5674770 
…for IPv6

- Implement NormalizeHost to strip brackets from IPv6 addresses.
- Use NormalizeHost in controller and kubelet clients.
- Add unit tests for normalization and regression tests for clients.
@courageJ courageJ force-pushed the harden-url-construction-clean branch from 594ea24 to a911912 Compare May 25, 2026 17:17
erain
erain approved these changes May 25, 2026
View reviewed changes

@erain erain left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re-reviewed the updated URL construction change. NormalizeHost now handles already-bracketed IPv6 before net.JoinHostPort, and the controller/kubelet tests cover raw and bracketed IPv6 cases. Ran go test ./monitor/controller ./monitor/kubelet ./monitor/util from kubelet-to-gcm on the PR head. Looks good.

@courageJ courageJ force-pushed the harden-url-construction-clean branch from a911912 to 5a0f739 Compare May 26, 2026 12:28
@courageJ courageJ force-pushed the harden-url-construction-clean branch from 7b7e7a6 to 2cef1d1 Compare May 26, 2026 14:22
@courageJ courageJ merged commit 37b221a into GoogleCloudPlatform:master May 26, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erain erain erain approved these changes

@JeffLuoo JeffLuoo Awaiting requested review from JeffLuoo

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@courageJ @erain