Mirrors/coredns
1
0
Fork 0
mirror of https://github.com/coredns/coredns.git synced 2025-10-31 18:23:13 -04:00
Code Issues Packages Projects Releases Wiki Activity

plugin/kubernetes: Validate transfers are allowed (#2292)

Browse Source 
* check allowed transfers

* add tests for parsing, and comment about refactor
This commit is contained in:
Chris O'Haver
2018-11-13 18:25:30 -05:00
committed by Miek Gieben
parent 4d52a71f09
commit 7aafbe24ca
3 changed files with 105 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
plugin/kubernetes/xfr.go
View File

@@ -25,6 +25,10 @@ func (k *Kubernetes) MinTTL(state request.Request) uint32 { return 30 }
// Transfer implements the Transferer interface.
func (k *Kubernetes) Transfer(ctx context.Context, state request.Request) (int, error) {
if !k.transferAllowed(state) {
return dns.RcodeRefused, nil
}
// Get all services.
rrs := make(chan dns.RR)
go k.transfer(rrs, state.Zone)
@@ -71,6 +75,26 @@ func (k *Kubernetes) Transfer(ctx context.Context, state request.Request) (int,
return dns.RcodeSuccess, nil
}
// transferAllowed checks if incoming request for transferring the zone is allowed according to the ACLs.
// Note: This is copied from zone.transferAllowed, but should eventually be factored into a common transfer pkg.
func (k *Kubernetes) transferAllowed(state request.Request) bool {
for _, t := range k.TransferTo {
if t == "*" {
return true
}
// If remote IP matches we accept.
remote := state.IP()
to, _, err := net.SplitHostPort(t)
if err != nil {
continue
}
if to == remote {
return true
}
}
return false
}
func (k *Kubernetes) transfer(c chan dns.RR, zone string) {
defer close(c)