capsule-proxy icon indicating copy to clipboard operation
capsule-proxy copied to clipboard

Published 20 hours ago verified publisher icon projectcapsule

Invalidated token can bring to a DoS

Open prometherion opened this issue 1 year ago • 0 comments

Bug description

If a token has been invalidated by the API server but a Tenant user is still using it, it could start a Denial of Service of the Capsule Proxy.

How to reproduce

  1. Create a ServiceAccount token
  2. Start a while true loop to retrieve Namespaces
  3. Revoke the ServiceAccount token with a new one

Expected behaviour

We should store locally revoked tokens to avoid putting too much pressure on the API Server in creating useless TokenReview objects.

Logs

2024/08/06 16:08:48 cannot authenticate the token due to error: [invalid bearer token, Token has been invalidated]

Additional context

  • Capsule-Proxy version: 0.7.0

  • Helm Chart version:

NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                   APP VERSION
capsule         capsule-system  2               2024-07-31 09:35:27.738570848 +0000 UTC deployed        capsule-0.7.0           0.7.0      
capsule-proxy   capsule-system  3               2024-07-31 09:59:20.41574799 +0000 UTC  deployed        capsule-proxy-0.7.0     0.7.0
  • Kubernetes version:
serverVersion:
  buildDate: "2024-06-25T20:02:55Z"
  compiler: gc
  gitCommit: aa4794b37223156c5f651d94e23670bd7e581607
  gitTreeState: clean
  gitVersion: v1.30.2+k3s1
  goVersion: go1.22.4
  major: "1"
  minor: "30"
  platform: linux/amd64

prometherion avatar Aug 06 '24 17:08 prometherion