Merge pull request #5291 from volcano-sh/copilot/cherry-pick-commit-13dde815

[release-1.14] Cherry-pick 13dde81: limit webhook request body size

Author: volcano-sh-bot

pkg/webhooks/router/admission.go

@@ -42,7 +42,7 @@ func RegisterAdmission(service *AdmissionService) error {
 
 	// Also register handler to the service.
 	service.Handler = func(w http.ResponseWriter, r *http.Request) {
-		Serve(w, r, service.Func)
+		serve(w, r, service.Func)
 	}
 
 	admissionMap[service.Path] = service

pkg/webhooks/router/server.go

@@ -35,13 +35,22 @@ var CONTENTTYPE = "Content-Type"
 // APPLICATIONJSON json content.
 var APPLICATIONJSON = "application/json"
 
-// Serve the http request.
-func Serve(w io.Writer, r *http.Request, admit AdmitFunc) {
+// MaxRequestBody caps the admission request body size to avoid OOM from
+// oversized requests. 3 MiB matches the kube-apiserver default.
+const MaxRequestBody int64 = 3 * 1024 * 1024
+
+// serve the http request.
+func serve(w http.ResponseWriter, r *http.Request, admit AdmitFunc) {
 	var body []byte
 	if r.Body != nil {
-		if data, err := io.ReadAll(r.Body); err == nil {
-			body = data
+		r.Body = http.MaxBytesReader(w, r.Body, MaxRequestBody)
+		data, err := io.ReadAll(r.Body)
+		if err != nil {
+			klog.Errorf("Failed to read admission request body: %v", err)
+			http.Error(w, "request body too large", http.StatusRequestEntityTooLarge)
+			return
 		}
+		body = data
 	}
 
 	// verify the content type is accurate