packages/kubernetes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!100 [sync] PR-96: add patch and fix CVE-2021-25740

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @duguhaotian 
Signed-off-by: @duguhaotian
This commit is contained in:
openeuler-ci-bot 2022-12-08 09:31:47 +00:00 committed by Gitee
commit 56ac44666e
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
0011-Remove-Endpoints-write-access-from-aggregated-edit-r.patch Normal file
View File

@ -0,0 +1,38 @@
From 416efdab26afe06cf2b57991dfac511769bf508b Mon Sep 17 00:00:00 2001
From: Rob Scott <robertjscott@google.com>
Date: Tue, 13 Jul 2021 22:17:12 -0700
Subject: [PATCH] Remove Endpoints write access from aggregated edit role
---
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 2 +-
.../authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
index 352543a2..903c6723 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -286,7 +286,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("pods", "pods/attach", "pods/proxy", "pods/exec", "pods/portforward").RuleOrDie(),
rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
- "services", "services/proxy", "endpoints", "persistentvolumeclaims", "configmaps", "secrets").RuleOrDie(),
+ "services", "services/proxy", "persistentvolumeclaims", "configmaps", "secrets").RuleOrDie(),
rbacv1helpers.NewRule(Write...).Groups(appsGroup).Resources(
"statefulsets", "statefulsets/scale",
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
index 2f571c76..e869c122 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@@ -128,7 +128,6 @@ items:
- ""
resources:
- configmaps
- - endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
--
2.25.1

10
kubernetes.spec
View File

@ -3,7 +3,7 @@
Name: kubernetes Name: kubernetes
Version: 1.20.2 Version: 1.20.2
Release: 15 Release: 16
Summary: Container cluster management Summary: Container cluster management
License: ASL 2.0 License: ASL 2.0
URL: https://k8s.io/kubernetes URL: https://k8s.io/kubernetes
@ -33,6 +33,8 @@ Patch6005: 0006-kubelet-support-attach-websocket-protocol.patch
Patch6006: 0007-Add-an-option-for-aggregator.patch Patch6006: 0007-Add-an-option-for-aggregator.patch
Patch6007: 0008-kubelet-fix-websocket-reference-nil-pointer.patch Patch6007: 0008-kubelet-fix-websocket-reference-nil-pointer.patch
Patch6008: 0009-timeout-wait-backend-to-frontend-complete.patch Patch6008: 0009-timeout-wait-backend-to-frontend-complete.patch
Patch6009: 0010-Escape-terminal-special-characters-in-kubectl-112553.patch
Patch6010: 0011-Remove-Endpoints-write-access-from-aggregated-edit-r.patch
%description %description
Container cluster management. Container cluster management.
@ -264,6 +266,12 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \
%systemd_postun kubelet kube-proxy %systemd_postun kubelet kube-proxy
%changelog %changelog
* Thu Dec 08 2022 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 1.20.2-16
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:add patch and fix CVE-2021-25740
* Mon Nov 28 2022 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 1.20.2-15 * Mon Nov 28 2022 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 1.20.2-15
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA