From aa09f13d8b5328f20dc4fcb63c7a3a1cf406de07 Mon Sep 17 00:00:00 2001
From: Jari Kolehmainen <jari.kolehmainen@gmail.com>
Date: Thu, 19 Nov 2020 08:32:07 +0200
Subject: [PATCH] kube-auth-proxy: accept only target cluster hostname (#1433)

Signed-off-by: Jari Kolehmainen <jari.kolehmainen@gmail.com>
---
 src/main/kube-auth-proxy.ts | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/main/kube-auth-proxy.ts b/src/main/kube-auth-proxy.ts
index 33521fdcf5..96c3063277 100644
--- a/src/main/kube-auth-proxy.ts
+++ b/src/main/kube-auth-proxy.ts
@@ -4,6 +4,7 @@ import { broadcastIpc } from "../common/ipc";
 import type { Cluster } from "./cluster"
 import { bundledKubectl, Kubectl } from "./kubectl"
 import logger from "./logger"
+import * as url from "url"
 
 export interface KubeAuthProxyLog {
   data: string;
@@ -26,17 +27,22 @@ export class KubeAuthProxy {
     this.kubectl = bundledKubectl
   }
 
+  get acceptHosts() {
+    return url.parse(this.cluster.apiUrl).hostname;
+  }
+
   public async run(): Promise<void> {
     if (this.proxyProcess) {
       return;
     }
+
     const proxyBin = await this.kubectl.getPath()
     const args = [
       "proxy",
       "-p", `${this.port}`,
       "--kubeconfig", `${this.cluster.kubeConfigPath}`,
       "--context", `${this.cluster.contextName}`,
-      "--accept-hosts", ".*",
+      "--accept-hosts", this.acceptHosts,
       "--reject-paths", "^[^/]"
     ]
     if (process.env.DEBUG_PROXY === "true") {