Argo Events Kubernetes Admission Webhook Denial of Service

[whynowy]

Describe the bug
send a large, crafted request and make the webhook crash due to OOMKill.

To replicate, please deploy Argo Events with the validating admission webhook. Then, port-forward to it:

kubectl port-forward svc/events-webhook 6443:443 -n argo-events

Then, run the PoC:

https://gist.github.com/jake-ciolek/9c86868cf71423a6b4cb6ff592181f51

via:

go run .

The webhook pod will crash after reading too much data. The workaround would be to implement its server with a LimitReader.

Thank you,
Jakub Ciolek

Additional context
Add any other context about the problem here.

---

Message from the maintainers:

If you wish to see this enhancement implemented please add a 👍 reaction to this issue! We often sort issues this way to know what to prioritize.

[github-actions]

This issue has been automatically marked as stale because it has not had
any activity in the last 60 days. It will be closed if no further activity
occurs. Thank you for your contributions.