vpa/admission-controller: limit request payload size to 5MB

vertical-pod-autoscaler/pkg/admission-controller/logic/server.go

@@ -45,6 +45,11 @@ const (
 	autoDeprecationWarning = `UpdateMode "Auto" is deprecated and will be removed in a future API version. ` +
 		`Use explicit update modes like "Recreate", "Initial", or "InPlaceOrRecreate" instead. ` +
 		`See https://github.com/kubernetes/autoscaler/issues/8424 for more details.`
+	// maxAdmissionPayloadSize limits the size of the incoming admission request payload
+	// to prevent OOM (Denial of Service) attacks. A typical AdmissionReview is well under 100KB,
+	// and etcd limits objects to 1.5MB. With updates including both the new and old object,
+	// 5MB is an extremely safe upper bound that leaves a comfortable margin.
+	maxAdmissionPayloadSize = 1024 * 1024 * 5 // 5MB
 )
 
 // AdmissionServer is an admission webhook server that modifies pod resources request based on VPA recommendation
@@ -192,8 +197,10 @@ func (s *AdmissionServer) Serve(w http.ResponseWriter, r *http.Request) {
 
 	var body []byte
 	if r.Body != nil {
-		if data, err := io.ReadAll(r.Body); err == nil {
+		if data, err := io.ReadAll(http.MaxBytesReader(w, r.Body, maxAdmissionPayloadSize)); err == nil {
 			body = data
+		} else {
+			klog.ErrorS(err, "Failed to read admission request body (payload may exceed 5MB limit)")
 		}
 	}
 	// verify the content type is accurate

vertical-pod-autoscaler/pkg/admission-controller/logic/server_test.go

@@ -0,0 +1,84 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package logic
+
+import (
+	"bytes"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"k8s.io/autoscaler/vertical-pod-autoscaler/pkg/admission-controller/resource"
+)
+
+// InfiniteReader simulates an endless stream of bytes to verify LimitReader behavior.
+type InfiniteReader struct{}
+
+func (r *InfiniteReader) Read(p []byte) (n int, err error) {
+	for i := range p {
+		p[i] = 'a'
+	}
+	return len(p), nil
+}
+
+func (r *InfiniteReader) Close() error {
+	return nil
+}
+
+func TestServePayloadLimit(t *testing.T) {
+	tests := []struct {
+		name           string
+		requestBody    *bytes.Buffer
+		isEndless      bool
+		expectedStatus int
+	}{
+		{
+			name:           "Small valid JSON payload",
+			requestBody:    bytes.NewBufferString(`{"kind":"AdmissionReview","apiVersion":"admission.k8s.io/v1","request":{"uid":"123","resource":{"group":"autoscaling.k8s.io","version":"v1","resource":"verticalpodautoscalers"},"requestKind":{"group":"autoscaling.k8s.io","version":"v1","kind":"VerticalPodAutoscaler"}}}`),
+			expectedStatus: http.StatusOK,
+		},
+		{
+			name:           "Oversized payload exceeding 5MB limit",
+			isEndless:      true,
+			expectedStatus: http.StatusOK, // Fails open, returning 200 OK with unmarshal error rather than crashing
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			server := &AdmissionServer{
+				resourceHandlers: make(map[metav1.GroupResource]resource.Handler), // Unused in basic HTTP parse step
+			}
+
+			var req *http.Request
+			if tc.isEndless {
+				req = httptest.NewRequest(http.MethodPost, "/admit", &InfiniteReader{})
+			} else {
+				req = httptest.NewRequest(http.MethodPost, "/admit", tc.requestBody)
+			}
+			req.Header.Set("Content-Type", "application/json")
+
+			w := httptest.NewRecorder()
+			server.Serve(w, req)
+
+			assert.Equal(t, tc.expectedStatus, w.Code)
+		})
+	}
+}