Remove localhost calls from external names

Signed-off-by: Ricardo Pchevuzinske Katz <ricardo.katz@gmail.com>
2021-04-30 00:24:28 -03:00 · 2021-04-30 00:24:28 -03:00 · 0dceedfad7
commit 0dceedfad7
parent 22ae0d3848
6 changed files with 74 additions and 1 deletions
--- a/internal/ingress/controller/endpoints.go
+++ b/internal/ingress/controller/endpoints.go
@ -50,6 +50,12 @@ func getEndpoints(s *corev1.Service, port *corev1.ServicePort, proto corev1.Prot

 	// ExternalName services
 	if s.Spec.Type == corev1.ServiceTypeExternalName {
+		if ip := net.ParseIP(s.Spec.ExternalName); s.Spec.ExternalName == "localhost" ||
+			(ip != nil && ip.IsLoopback()) {
+			klog.Errorf("Invalid attempt to use localhost name %s in %q", s.Spec.ExternalName, svcKey)
+			return upsServers
+		}
+
 		klog.V(3).Infof("Ingress using Service %q of type ExternalName.", svcKey)
 		targetPort := port.TargetPort.IntValue()
 		// if the externalName is not an IP address we need to validate is a valid FQDN
--- a/internal/ingress/controller/endpoints_test.go
+++ b/internal/ingress/controller/endpoints_test.go
@ -78,6 +78,54 @@ func TestGetEndpoints(t *testing.T) {
 			},
 			[]ingress.Endpoint{},
 		},
+		{
+			"a service type ServiceTypeExternalName service with localhost in name should return 0 endpoint",
+			&corev1.Service{
+				Spec: corev1.ServiceSpec{
+					Type:         corev1.ServiceTypeExternalName,
+					ExternalName: "localhost",
+					Ports: []corev1.ServicePort{
+						{
+							Name:       "default",
+							TargetPort: intstr.FromInt(443),
+						},
+					},
+				},
+			},
+			&corev1.ServicePort{
+				Name:       "default",
+				TargetPort: intstr.FromInt(80),
+			},
+			corev1.ProtocolTCP,
+			func(string) (*corev1.Endpoints, error) {
+				return &corev1.Endpoints{}, nil
+			},
+			[]ingress.Endpoint{},
+		},
+		{
+			"a service type ServiceTypeExternalName service with 127.0.0.1 in name should return 0 endpoint",
+			&corev1.Service{
+				Spec: corev1.ServiceSpec{
+					Type:         corev1.ServiceTypeExternalName,
+					ExternalName: "127.0.0.1",
+					Ports: []corev1.ServicePort{
+						{
+							Name:       "default",
+							TargetPort: intstr.FromInt(443),
+						},
+					},
+				},
+			},
+			&corev1.ServicePort{
+				Name:       "default",
+				TargetPort: intstr.FromInt(80),
+			},
+			corev1.ProtocolTCP,
+			func(string) (*corev1.Endpoints, error) {
+				return &corev1.Endpoints{}, nil
+			},
+			[]ingress.Endpoint{},
+		},
 		{
 			"a service type ServiceTypeExternalName with a valid port should return one endpoint",
 			&corev1.Service{