From 025c4d059380c4256fedd0d1d5f5dae5a961b74c Mon Sep 17 00:00:00 2001
From: Jari Kolehmainen <jari.kolehmainen@gmail.com>
Date: Wed, 18 Nov 2020 22:02:20 +0200
Subject: [PATCH] kube-auth-proxy: accept only target cluster hostname

Signed-off-by: Jari Kolehmainen <jari.kolehmainen@gmail.com>
---
 src/main/kube-auth-proxy.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/main/kube-auth-proxy.ts b/src/main/kube-auth-proxy.ts
index 7192425466..731f036212 100644
--- a/src/main/kube-auth-proxy.ts
+++ b/src/main/kube-auth-proxy.ts
@@ -4,6 +4,7 @@ import { broadcastIpc } from "../common/ipc";
 import type { Cluster } from "./cluster"
 import { Kubectl } from "./kubectl"
 import logger from "./logger"
+import * as url from "url"
 
 export interface KubeAuthProxyLog {
   data: string;
@@ -30,13 +31,14 @@ export class KubeAuthProxy {
     if (this.proxyProcess) {
       return;
     }
+    const clusterUrl = url.parse(this.cluster.apiUrl);
     const proxyBin = await this.kubectl.getPath()
     const args = [
       "proxy",
       "-p", `${this.port}`,
       "--kubeconfig", `${this.cluster.kubeConfigPath}`,
       "--context", `${this.cluster.contextName}`,
-      "--accept-hosts", ".*",
+      "--accept-hosts", clusterUrl.hostname,
       "--reject-paths", "^[^/]"
     ]
     if (process.env.DEBUG_PROXY === "true") {