From b00ca67d7065817b3f2eac71db0ebfe0a7e2e39e Mon Sep 17 00:00:00 2001
From: Jari Kolehmainen <jari.kolehmainen@gmail.com>
Date: Tue, 26 Oct 2021 14:59:36 +0300
Subject: [PATCH] use random api prefix on kubectl-proxy (#4137)

Signed-off-by: Jari Kolehmainen <jari.kolehmainen@gmail.com>
---
 src/main/context-handler.ts | 2 +-
 src/main/kube-auth-proxy.ts | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/main/context-handler.ts b/src/main/context-handler.ts
index b6e14df4e5..ce1273646b 100644
--- a/src/main/context-handler.ts
+++ b/src/main/context-handler.ts
@@ -114,7 +114,7 @@ export class ContextHandler {
     await this.ensureServer();
     const path = this.clusterUrl.path !== "/" ? this.clusterUrl.path : "";
 
-    return `http://127.0.0.1:${this.kubeAuthProxy.port}${path}`;
+    return `http://127.0.0.1:${this.kubeAuthProxy.port}${this.kubeAuthProxy.apiPrefix}${path}`;
   }
 
   async getApiTarget(isLongRunningRequest = false): Promise<httpProxy.ServerOptions> {
diff --git a/src/main/kube-auth-proxy.ts b/src/main/kube-auth-proxy.ts
index ac3bdf8dd1..4362f4f314 100644
--- a/src/main/kube-auth-proxy.ts
+++ b/src/main/kube-auth-proxy.ts
@@ -21,6 +21,7 @@
 
 import { ChildProcess, spawn } from "child_process";
 import { waitUntilUsed } from "tcp-port-used";
+import { randomBytes } from "crypto";
 import { broadcastMessage } from "../common/ipc";
 import type { Cluster } from "./cluster";
 import { Kubectl } from "./kubectl";
@@ -38,6 +39,7 @@ const startingServeRegex = /^starting to serve on (?<address>.+)/i;
 
 export class KubeAuthProxy {
   public lastError: string;
+  public readonly apiPrefix: string;
 
   public get port(): number {
     return this._port;
@@ -56,6 +58,7 @@ export class KubeAuthProxy {
     this.env = env;
     this.cluster = cluster;
     this.kubectl = Kubectl.bundled();
+    this.apiPrefix = `/${randomBytes(8).toString("hex")}`;
   }
 
   get acceptHosts() {
@@ -78,7 +81,8 @@ export class KubeAuthProxy {
       "--kubeconfig", `${this.cluster.kubeConfigPath}`,
       "--context", `${this.cluster.contextName}`,
       "--accept-hosts", this.acceptHosts,
-      "--reject-paths", "^[^/]"
+      "--reject-paths", "^[^/]",
+      "--api-prefix", this.apiPrefix
     ];
 
     if (process.env.DEBUG_PROXY === "true") {
@@ -112,7 +116,7 @@ export class KubeAuthProxy {
     });
 
     await waitUntilUsed(this.port, 500, 10000);
-  
+
     this.ready = true;
   }