New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix HSTS Missing From HTTPS Server(Nessus Scanner) #96502
Conversation
@249043822: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi @249043822. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/remove-sig api-machinery |
/remove-sig api-machinery |
/assign @mikedanese @deads2k |
/assign @mikedanese @deads2k |
/assgin @liggitt @caesarxuchao |
/hold Thanks for the PR, but we cannot unilaterally indicate all ports on the host the API server was accessed by must be serving https (other processes can be serving http on different ports). This would affect things like development servers on |
if len(hstsHeaders) != 0 { | ||
for _, hstsHeader := range hstsHeaders { | ||
if len(strings.TrimSpace(hstsHeader)) == 0 { | ||
return fmt.Errorf("empty value in strict-transport-security-headers") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
build a full slice of errors []error
and then use pkg/util/errors.NewAggregate
at the end. If memory serves, it correctly results nil on an empty slice, so you get the "easy" behavior that works and all the errors at the same time.
if hstsHeader != "includeSubDomains" && hstsHeader != "preload" { | ||
maxAgeValue := strings.Split(hstsHeader, "=") | ||
if len(maxAgeValue) != 2 || maxAgeValue[0] != "max-age" { | ||
return fmt.Errorf("--strict-transport-security-headers invalid, must be of format: max-age=expireTime,includeSubDomains,preload") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please link to the spec saying these are the only valid values. The format appears more flexible to me https://tools.ietf.org/html/rfc6797#section-6.1 with some kind of a registry somewhere for extension.
@@ -161,6 +185,9 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) { | |||
"List of allowed origins for CORS, comma separated. An allowed origin can be a regular "+ | |||
"expression to support subdomain matching. If this list is empty CORS will not be enabled.") | |||
|
|||
fs.StringSliceVar(&s.HSTSHeaders, "strict-transport-security-headers", s.HSTSHeaders, ""+ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please provide an example in the usage. I may have misunderstood the code. Are these the hsts directives that go into a single header? The code suggests the header cannot be repeated?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea, all hsts directives go into a single header
staging/src/k8s.io/apiserver/pkg/server/options/server_run_options_test.go
Show resolved
Hide resolved
@@ -18,7 +18,9 @@ package options | |||
|
|||
import ( | |||
"fmt" | |||
"k8s.io/apimachinery/pkg/util/errors" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit order. this belongs in the next block of imports.
Sorry about this, I hadn't read in detail before. Can you replace all the /approve After we get the names fixed, I think this is ready to go. |
what does |
@deads2k looks like we are just trying to make a specific scanner happy. are we going to get a deluge of more such PRs? |
@dims It means someone pointed at security scanning tool at a host running the apiserver and it came back complaining about a HTTPS 'website' not returning HSTS headers. To me these really only make sense to send for a site serving browser traffic, but it doesn't seem like it hurts anything to let someone configure them if it gets their infosec team off their back. |
@dims The Nessus Scanner report as followers: MEDIUM HSTS Missing From HTTPS Server Solution See Also Output
|
@deads2k I have fixed these. |
/retest |
/sig-remove api-machinery |
/remove-sig api-machinery |
The feedback from the website PR is that the doc is updated automatically.
The release-note has been specified. /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 249043822, deads2k The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Nessus scanner treats this as a Medium Risk
Which issue(s) this PR fixes:
Fixes #96040
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: