Fix HSTS Missing From HTTPS Server(Nessus Scanner) #96502
Conversation
k8s-ci-robot
added
size/M
|
@249043822: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-triage
|
Hi @249043822. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
needs-ok-to-test
|
/remove-sig api-machinery |
k8s-ci-robot
added
sig/auth
k8s-ci-robot
added
the
sig/api-machinery
|
/remove-sig api-machinery |
k8s-ci-robot
removed
the
sig/api-machinery
|
/assign @mikedanese @deads2k |
|
/assign @mikedanese @deads2k |
|
/assgin @liggitt @caesarxuchao |
|
/hold Thanks for the PR, but we cannot unilaterally indicate all ports on the host the API server was accessed by must be serving https (other processes can be serving http on different ports). This would affect things like development servers on |
k8s-ci-robot
added
the
do-not-merge/hold
| if len(hstsHeaders) != 0 { | ||
| for _, hstsHeader := range hstsHeaders { | ||
| if len(strings.TrimSpace(hstsHeader)) == 0 { | ||
| return fmt.Errorf("empty value in strict-transport-security-headers") |
There was a problem hiding this comment.
build a full slice of errors []error and then use pkg/util/errors.NewAggregate at the end. If memory serves, it correctly results nil on an empty slice, so you get the "easy" behavior that works and all the errors at the same time.
| if hstsHeader != "includeSubDomains" && hstsHeader != "preload" { | ||
| maxAgeValue := strings.Split(hstsHeader, "=") | ||
| if len(maxAgeValue) != 2 || maxAgeValue[0] != "max-age" { | ||
| return fmt.Errorf("--strict-transport-security-headers invalid, must be of format: max-age=expireTime,includeSubDomains,preload") |
There was a problem hiding this comment.
please link to the spec saying these are the only valid values. The format appears more flexible to me https://tools.ietf.org/html/rfc6797#section-6.1 with some kind of a registry somewhere for extension.
| @@ -161,6 +185,9 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) { | |||
| "List of allowed origins for CORS, comma separated. An allowed origin can be a regular "+ | |||
| "expression to support subdomain matching. If this list is empty CORS will not be enabled.") | |||
|
|
|||
| fs.StringSliceVar(&s.HSTSHeaders, "strict-transport-security-headers", s.HSTSHeaders, ""+ | |||
There was a problem hiding this comment.
please provide an example in the usage. I may have misunderstood the code. Are these the hsts directives that go into a single header? The code suggests the header cannot be repeated?
There was a problem hiding this comment.
Yea, all hsts directives go into a single header
staging/src/k8s.io/apiserver/pkg/server/options/server_run_options_test.go
Show resolved
Hide resolved
| @@ -18,7 +18,9 @@ package options | |||
|
|
|||
| import ( | |||
| "fmt" | |||
| "k8s.io/apimachinery/pkg/util/errors" | |||
There was a problem hiding this comment.
nit order. this belongs in the next block of imports.
Sorry about this, I hadn't read in detail before. Can you replace all the /approve After we get the names fixed, I think this is ready to go. |
k8s-ci-robot
added
the
approved
|
what does |
|
@deads2k looks like we are just trying to make a specific scanner happy. are we going to get a deluge of more such PRs? |
|
@dims It means someone pointed at security scanning tool at a host running the apiserver and it came back complaining about a HTTPS 'website' not returning HSTS headers. To me these really only make sense to send for a site serving browser traffic, but it doesn't seem like it hurts anything to let someone configure them if it gets their infosec team off their back. |
@dims The Nessus Scanner report as followers: MEDIUM HSTS Missing From HTTPS Server Solution See Also Output
|
@deads2k I have fixed these. |
|
/retest |
|
/sig-remove api-machinery |
|
/remove-sig api-machinery |
k8s-ci-robot
removed
the
sig/api-machinery
k8s-ci-robot
added
release-note
|
The feedback from the website PR is that the doc is updated automatically.
The release-note has been specified. /lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 249043822, deads2k The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Nessus scanner treats this as a Medium Risk
Which issue(s) this PR fixes:
Fixes #96040
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: