Avoid nil dereferencing when tlsConfig is nil.

gravitational · Mar 23, 2022 · ad69c3c · ad69c3c
1 parent 9f57d0f
commit ad69c3c
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/lib/kube/proxy/auth.go b/lib/kube/proxy/auth.go
@@ -174,6 +174,15 @@ func extractKubeCreds(ctx context.Context, cluster string, clientCfg *rest.Confi
 	if err != nil {
 		return nil, trace.Wrap(err, "failed to generate TLS config from kubeconfig: %v", err)
 	}
+	if tlsConfig == nil {
+		messageArgs := "c.HasCA, " +
+			"c.HasCertAuth, " +
+			"c.HasCertCallback, " +
+			"c.TLS.Insecure, " +
+			"len(c.TLS.ServerName) > 0, " +
+			"len(c.TLS.NextProtos) > 0 "
+		return nil, trace.BadParameter("failed to generate TLS config from kubeConfig. All of %s were false", messageArgs)
+	}
 	transportConfig, err := clientCfg.TransportConfig()
 	if err != nil {
 		return nil, trace.Wrap(err, "failed to generate transport config from kubeconfig: %v", err)

diff --git a/lib/kube/proxy/auth_test.go b/lib/kube/proxy/auth_test.go
@@ -31,6 +31,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	authztypes "k8s.io/client-go/kubernetes/typed/authorization/v1"
+	"k8s.io/client-go/rest"
 	"k8s.io/client-go/transport"
 )
 
@@ -270,3 +271,17 @@ current-context: foo
 		})
 	}
 }
+
+func TestExtractKubeCreds(t *testing.T) {
+	t.Parallel()
+	_, err := extractKubeCreds(context.TODO(),
+		"cluster",
+		&rest.Config{},
+		KubeService,
+		"",
+		utils.NewLoggerForTests(),
+		func(ctx context.Context, clusterName string, sarClient authztypes.SelfSubjectAccessReviewInterface) error {
+			return nil
+		})
+	require.Contains(t, err.Error(), "failed to generate TLS config from kubeConfig. All of")
+}