packages/kubernetes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!154 [sync] PR-150: fix CVE-2024-3177

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @xuxuepeng 
Signed-off-by: @xuxuepeng
This commit is contained in:
openeuler-ci-bot 2024-04-29 06:31:47 +00:00 committed by Gitee
commit 03ea3392d7
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 244 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

236
0016-Add-envFrom-to-serviceaccount-admission-plugin.patch Normal file
View File

@ -0,0 +1,236 @@
From 3f0922513d235d8bdebe79f0d07da769c04211b8 Mon Sep 17 00:00:00 2001
From: Rita Zhang <rita.z.zhang@gmail.com>
Date: Mon, 25 Mar 2024 10:33:41 -0700
Subject: [PATCH] Add envFrom to serviceaccount admission plugin
Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
---
.../pkg/admission/serviceaccount/admission.go | 21 +++
.../serviceaccount/admission_test.go | 122 ++++++++++++++++--
2 files changed, 132 insertions(+), 11 deletions(-)
diff --git a/plugin/pkg/admission/serviceaccount/admission.go b/plugin/pkg/admission/serviceaccount/admission.go
index c844a051c24..3f4338128e5 100644
--- a/plugin/pkg/admission/serviceaccount/admission.go
+++ b/plugin/pkg/admission/serviceaccount/admission.go
@@ -337,6 +337,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po
}
}
}
+ for _, envFrom := range container.EnvFrom {
+ if envFrom.SecretRef != nil {
+ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
+ return fmt.Errorf("init container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
+ }
+ }
+ }
}
for _, container := range pod.Spec.Containers {
@@ -347,6 +354,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po
}
}
}
+ for _, envFrom := range container.EnvFrom {
+ if envFrom.SecretRef != nil {
+ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
+ return fmt.Errorf("container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
+ }
+ }
+ }
}
// limit pull secret references as well
@@ -388,6 +402,13 @@ func (s *Plugin) limitEphemeralContainerSecretReferences(pod *api.Pod, a admissi
}
}
}
+ for _, envFrom := range container.EnvFrom {
+ if envFrom.SecretRef != nil {
+ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
+ return fmt.Errorf("ephemeral container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
+ }
+ }
+ }
}
return nil
}
diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go b/plugin/pkg/admission/serviceaccount/admission_test.go
index bf15f870d75..4dba6cd8b13 100644
--- a/plugin/pkg/admission/serviceaccount/admission_test.go
+++ b/plugin/pkg/admission/serviceaccount/admission_test.go
@@ -521,6 +521,25 @@ func TestAllowsReferencedSecret(t *testing.T) {
t.Errorf("Unexpected error: %v", err)
}
+ pod2 = &api.Pod{
+ Spec: api.PodSpec{
+ Containers: []api.Container{
+ {
+ Name: "container-1",
+ EnvFrom: []api.EnvFromSource{
+ {
+ SecretRef: &api.SecretEnvSource{
+ LocalObjectReference: api.LocalObjectReference{
+ Name: "foo"}}}},
+ },
+ },
+ },
+ }
+ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
+ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
+ t.Errorf("Unexpected error: %v", err)
+ }
+
pod2 = &api.Pod{
Spec: api.PodSpec{
InitContainers: []api.Container{
@@ -545,6 +564,25 @@ func TestAllowsReferencedSecret(t *testing.T) {
t.Errorf("Unexpected error: %v", err)
}
+ pod2 = &api.Pod{
+ Spec: api.PodSpec{
+ InitContainers: []api.Container{
+ {
+ Name: "container-1",
+ EnvFrom: []api.EnvFromSource{
+ {
+ SecretRef: &api.SecretEnvSource{
+ LocalObjectReference: api.LocalObjectReference{
+ Name: "foo"}}}},
+ },
+ },
+ },
+ }
+ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
+ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
+ t.Errorf("Unexpected error: %v", err)
+ }
+
pod2 = &api.Pod{
Spec: api.PodSpec{
ServiceAccountName: DefaultServiceAccountName,
@@ -572,6 +610,28 @@ func TestAllowsReferencedSecret(t *testing.T) {
if err := admit.Validate(context.TODO(), attrs, nil); err != nil {
t.Errorf("Unexpected error: %v", err)
}
+
+ pod2 = &api.Pod{
+ Spec: api.PodSpec{
+ ServiceAccountName: DefaultServiceAccountName,
+ EphemeralContainers: []api.EphemeralContainer{
+ {
+ EphemeralContainerCommon: api.EphemeralContainerCommon{
+ Name: "container-2",
+ EnvFrom: []api.EnvFromSource{{
+ SecretRef: &api.SecretEnvSource{
+ LocalObjectReference: api.LocalObjectReference{
+ Name: "foo"}}}},
+ },
+ },
+ },
+ },
+ }
+ // validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers"
+ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil)
+ if err := admit.Validate(context.TODO(), attrs, nil); err != nil {
+ t.Errorf("Unexpected error: %v", err)
+ }
}
func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
@@ -628,25 +688,20 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
pod2 = &api.Pod{
Spec: api.PodSpec{
- InitContainers: []api.Container{
+ Containers: []api.Container{
{
Name: "container-1",
- Env: []api.EnvVar{
+ EnvFrom: []api.EnvFromSource{
{
- Name: "env-1",
- ValueFrom: &api.EnvVarSource{
- SecretKeyRef: &api.SecretKeySelector{
- LocalObjectReference: api.LocalObjectReference{Name: "foo"},
- },
- },
- },
- },
+ SecretRef: &api.SecretEnvSource{
+ LocalObjectReference: api.LocalObjectReference{
+ Name: "foo"}}}},
},
},
},
}
attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
- if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") {
+ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
t.Errorf("Unexpected error: %v", err)
}
@@ -679,6 +734,30 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
t.Errorf("validate only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err)
}
+ pod2 = &api.Pod{
+ Spec: api.PodSpec{
+ ServiceAccountName: DefaultServiceAccountName,
+ InitContainers: []api.Container{
+ {
+ Name: "container-1",
+ EnvFrom: []api.EnvFromSource{
+ {
+ SecretRef: &api.SecretEnvSource{
+ LocalObjectReference: api.LocalObjectReference{
+ Name: "foo"}}}},
+ },
+ },
+ },
+ }
+ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Update, &metav1.UpdateOptions{}, false, nil)
+ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
+ t.Errorf("admit only enforces restrictions on secret mounts when operation==create. Unexpected error: %v", err)
+ }
+ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
+ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
+ t.Errorf("validate only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err)
+ }
+
pod2 = &api.Pod{
Spec: api.PodSpec{
ServiceAccountName: DefaultServiceAccountName,
@@ -709,6 +788,27 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") {
t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err)
}
+
+ pod2 = &api.Pod{
+ Spec: api.PodSpec{
+ ServiceAccountName: DefaultServiceAccountName,
+ EphemeralContainers: []api.EphemeralContainer{
+ {
+ EphemeralContainerCommon: api.EphemeralContainerCommon{
+ Name: "container-2",
+ EnvFrom: []api.EnvFromSource{{
+ SecretRef: &api.SecretEnvSource{
+ LocalObjectReference: api.LocalObjectReference{
+ Name: "foo"}}}},
+ },
+ },
+ },
+ },
+ }
+ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil)
+ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
+ t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err)
+ }
}
func TestAllowUnreferencedSecretVolumesForPermissiveSAs(t *testing.T) {
--
2.34.1

9
kubernetes.spec
View File

@ -3,7 +3,7 @@
Name: kubernetes Name: kubernetes
Version: 1.20.2 Version: 1.20.2
Release: 20 Release: 21
Summary: Container cluster management Summary: Container cluster management
License: ASL 2.0 License: ASL 2.0
URL: https://k8s.io/kubernetes URL: https://k8s.io/kubernetes
@ -39,6 +39,7 @@ Patch6011: 0012-Return-error-for-localhost-seccomp-type-with-no-loca.patch
Patch6012: 0013-Validate-etcd-paths.patch Patch6012: 0013-Validate-etcd-paths.patch
Patch6013: 0014-fix-node-address-validation.patch Patch6013: 0014-fix-node-address-validation.patch
Patch6014: 0015-Add-ephemeralcontainer-to-imagepolicy-securityaccoun.patch Patch6014: 0015-Add-ephemeralcontainer-to-imagepolicy-securityaccoun.patch
Patch6015: 0016-Add-envFrom-to-serviceaccount-admission-plugin.patch
%description %description
Container cluster management. Container cluster management.
@ -270,6 +271,12 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \
%systemd_postun kubelet kube-proxy %systemd_postun kubelet kube-proxy
%changelog %changelog
* Mon Apr 29 2024 liuxu <liuxu156@huawei.com> - 1.20.2-21
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:fix CVE-2024-3177
* Tue Jul 04 2023 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 1.20.2-20 * Tue Jul 04 2023 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 1.20.2-20
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA