Argo Events Kubernetes Admission Webhook Denial of Service

[whynowy]

Describe the bug send a large, crafted request and make the webhook crash due to OOMKill.

To replicate, please deploy Argo Events with the validating admission webhook. Then, port-forward to it:

kubectl port-forward svc/events-webhook 6443:443 -n argo-events

Then, run the PoC:

https://gist.github.com/jake-ciolek/9c86868cf71423a6b4cb6ff592181f51

via:

go run .

The webhook pod will crash after reading too much data. The workaround would be to implement its server with a LimitReader.

Thank you, Jakub Ciolek

Additional context Add any other context about the problem here.

---

Message from the maintainers:

If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.