[ws-proxy] prevent podIP being used with many workspaces

iQQBot · iQQBot · commit bb2f48f1f384 · 2025-05-20T18:16:33.000Z
diff --git a/components/ws-proxy/pkg/proxy/infoprovider.go b/components/ws-proxy/pkg/proxy/infoprovider.go
@@ -30,6 +30,7 @@ import (
 
 const (
 	workspaceIndex = "workspaceIndex"
+	ipAddressIndex = "ipAddressIndex"
 )
 
 // getPortStr extracts the port part from a given URL string. Returns "" if parsing fails or port is not specified.
@@ -77,6 +78,15 @@ func NewCRDWorkspaceInfoProvider(client client.Client, scheme *runtime.Scheme) (
 
 			return nil, xerrors.Errorf("object is not a WorkspaceInfo")
 		},
+		ipAddressIndex: func(obj interface{}) ([]string, error) {
+			if workspaceInfo, ok := obj.(*common.WorkspaceInfo); ok {
+				if workspaceInfo.IPAddress == "" {
+					return nil, nil
+				}
+				return []string{workspaceInfo.IPAddress}, nil
+			}
+			return nil, xerrors.Errorf("object is not a WorkspaceInfo")
+		},
 	}
 	contextIndexers := cache.Indexers{
 		workspaceIndex: func(obj interface{}) ([]string, error) {
@@ -115,12 +125,43 @@ func (r *CRDWorkspaceInfoProvider) WorkspaceInfo(workspaceID string) *common.Wor
 			return a.StartedAt.After(b.StartedAt)
 		})
 
-		return workspaces[0].(*common.WorkspaceInfo)
+		wsInfo := workspaces[0].(*common.WorkspaceInfo)
+
+		if wsInfo.IPAddress != "" {
+			wsInfos, err := r.workspacesInfoByIPAddress(wsInfo.IPAddress)
+			if err != nil {
+				log.WithError(err).Error("error getting workspaces info by IP address")
+				return nil
+			}
+			if len(wsInfos) > 1 {
+				log.Warnf("multiple workspaces (%d) for IP address %s", len(wsInfos), wsInfo.IPAddress)
+				return nil
+			}
+			if len(wsInfos) == 1 && wsInfos[0].WorkspaceID != workspaceID {
+				log.Warnf("workspace %s is not the only workspace for IP address %s", workspaceID, wsInfo.IPAddress)
+				return nil
+			}
+		}
+		return wsInfo
 	}
 
 	return nil
 }
 
+func (r *CRDWorkspaceInfoProvider) workspacesInfoByIPAddress(ipAddress string) ([]*common.WorkspaceInfo, error) {
+	workspaces := make([]*common.WorkspaceInfo, 0)
+
+	objs, err := r.store.ByIndex(ipAddressIndex, ipAddress)
+	if err != nil {
+		return nil, err
+	}
+	for _, w := range objs {
+		workspaces = append(workspaces, w.(*common.WorkspaceInfo))
+	}
+
+	return workspaces, nil
+}
+
 func (r *CRDWorkspaceInfoProvider) AcquireContext(ctx context.Context, workspaceID string, port string) (context.Context, string, error) {
 	ws := r.WorkspaceInfo(workspaceID)
 	if ws == nil {
