Only check caller-controlled attribute size for max cache key

tallclair · tallclair · commit e23c15a0f348 · 2019-01-24T13:37:52.000-08:00
diff --git a/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go b/staging/src/k8s.io/apiserver/plugin/pkg/authorizer/webhook/webhook.go
@@ -200,7 +200,7 @@ func (w *WebhookAuthorizer) Authorize(attr authorizer.Attributes) (decision auth
 		if r.Status.Allowed {
 			w.responseCache.Add(string(key), r.Status, w.authorizedTTL)
 		} else {
-			if len(key) <= maxUnauthorizedCachedKeySize {
+			if callerControlledAttributeSize(attr) < maxUnauthorizedCachedKeySize {
 				w.responseCache.Add(string(key), r.Status, w.unauthorizedTTL)
 			}
 		}
@@ -268,3 +268,14 @@ func (t *subjectAccessReviewClient) Create(subjectAccessReview *authorization.Su
 	err := t.w.RestClient.Post().Body(subjectAccessReview).Do().Into(result)
 	return result, err
 }
+
+func callerControlledAttributeSize(attr authorizer.Attributes) int64 {
+	return int64(len(attr.GetNamespace())) +
+		int64(len(attr.GetVerb())) +
+		int64(len(attr.GetAPIGroup())) +
+		int64(len(attr.GetAPIVersion())) +
+		int64(len(attr.GetResource())) +
+		int64(len(attr.GetSubresource())) +
+		int64(len(attr.GetName())) +
+		int64(len(attr.GetPath()))
+}
