Enforce response body limits in kubelet-to-gcm#1201
Conversation
courageJ
force-pushed
the
fix-response-body-limits
branch
from
9e09848 to
d0d9650
Compare
erain
left a comment
erain
left a comment
There was a problem hiding this comment.
The implementation caps allocation, but it does not actually enforce the response-size limit. io.LimitReader returns EOF after maxResponseBodySize, so callers cannot tell whether the server sent exactly the allowed size or much more. That can silently accept truncated GCE metadata and can silently drop controller metrics if the first limited chunk is parseable.
Please read at most maxResponseBodySize+1 bytes or use an io.LimitedReader and explicitly return an error when the body exceeds the configured limit. Apply the same helper to monitor/config/initialize.go, monitor/controller/client.go, and monitor/kubelet/client.go. The tests should include oversized-but-otherwise-valid responses and assert the explicit size-limit error, not just parse failures from invalid truncated data.
PROMPT for coding agent: Fix PR #1201 by replacing every io.ReadAll(io.LimitReader(..., maxResponseBodySize)) call with a shared helper that detects bodies larger than the limit and returns an error. Use it for GCE metadata, controller metrics, and kubelet summaries. Update or add unit tests so oversized valid payloads fail with the size-limit error, while under-limit payloads still pass.
- Added util.ReadWithLimit to detect and error when response bodies exceed limits. - Replaced silent truncation in controller, kubelet, and config packages. - Added comprehensive unit tests for size limit enforcement and explicit error return.
courageJ
force-pushed
the
fix-response-body-limits
branch
from
d0d9650 to
9837a33
Compare
erain
left a comment
erain
left a comment
There was a problem hiding this comment.
Re-reviewed the updated response-body limit implementation. The new shared util.ReadWithLimit reads limit+1 bytes and returns an explicit ErrBodyTooLarge, which addresses the previous truncation concern, and the callers in metadata, controller, and kubelet paths now use it. Ran go test ./monitor/... from kubelet-to-gcm on the PR head. Looks good.
2 participants
This PR implements size limits when reading HTTP response bodies in the kubelet-to-gcm monitoring daemon to prevent potential unbounded memory allocation.
Key changes:
Tested locally with go test ./monitor/... in kubelet-to-gcm.