* [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix for CVE-2024-3177
@ 2024-05-03 3:49 Ashish Sharma
2024-05-14 2:28 ` Bruce Ashfield
0 siblings, 1 reply; 3+ messages in thread
From: Ashish Sharma @ 2024-05-03 3:49 UTC (permalink / raw)
To: meta-virtualization; +Cc: Ashish Sharma
Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8]
Signed-off-by: Ashish Sharma <asharma@mvista.com>
---
.../kubernetes/kubernetes/CVE-2024-3177.patch | 237 ++++++++++++++++++
.../kubernetes/kubernetes_git.bb | 1 +
2 files changed, 238 insertions(+)
create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
new file mode 100644
index 00000000..20b2ea8a
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
@@ -0,0 +1,237 @@
+From 3f0922513d235d8bdebe79f0d07da769c04211b8 Mon Sep 17 00:00:00 2001
+From: Rita Zhang <rita.z.zhang@gmail.com>
+Date: Mon, 25 Mar 2024 10:33:41 -0700
+Subject: [PATCH] Add envFrom to serviceaccount admission plugin
+
+Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
+
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8]
+CVE: CVE-2024-3177
+Signed-off-by: Ashish Sharma <asharma@mvista.com>
+
+ .../pkg/admission/serviceaccount/admission.go | 21 +++
+ .../serviceaccount/admission_test.go | 122 ++++++++++++++++--
+ 2 files changed, 132 insertions(+), 11 deletions(-)
+
+diff --git a/plugin/pkg/admission/serviceaccount/admission.go b/plugin/pkg/admission/serviceaccount/admission.go
+index c844a051c24b..3f4338128e53 100644
+--- a/plugin/pkg/admission/serviceaccount/admission.go
++++ b/plugin/pkg/admission/serviceaccount/admission.go
+@@ -337,6 +337,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po
+ }
+ }
+ }
++ for _, envFrom := range container.EnvFrom {
++ if envFrom.SecretRef != nil {
++ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
++ return fmt.Errorf("init container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
++ }
++ }
++ }
+ }
+
+ for _, container := range pod.Spec.Containers {
+@@ -347,6 +354,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po
+ }
+ }
+ }
++ for _, envFrom := range container.EnvFrom {
++ if envFrom.SecretRef != nil {
++ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
++ return fmt.Errorf("container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
++ }
++ }
++ }
+ }
+
+ // limit pull secret references as well
+@@ -388,6 +402,13 @@ func (s *Plugin) limitEphemeralContainerSecretReferences(pod *api.Pod, a admissi
+ }
+ }
+ }
++ for _, envFrom := range container.EnvFrom {
++ if envFrom.SecretRef != nil {
++ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
++ return fmt.Errorf("ephemeral container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
++ }
++ }
++ }
+ }
+ return nil
+ }
+diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go b/plugin/pkg/admission/serviceaccount/admission_test.go
+index bf15f870d75a..4dba6cd8b13e 100644
+--- a/plugin/pkg/admission/serviceaccount/admission_test.go
++++ b/plugin/pkg/admission/serviceaccount/admission_test.go
+@@ -521,6 +521,25 @@ func TestAllowsReferencedSecret(t *testing.T) {
+ t.Errorf("Unexpected error: %v", err)
+ }
+
++ pod2 = &api.Pod{
++ Spec: api.PodSpec{
++ Containers: []api.Container{
++ {
++ Name: "container-1",
++ EnvFrom: []api.EnvFromSource{
++ {
++ SecretRef: &api.SecretEnvSource{
++ LocalObjectReference: api.LocalObjectReference{
++ Name: "foo"}}}},
++ },
++ },
++ },
++ }
++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
++ t.Errorf("Unexpected error: %v", err)
++ }
++
+ pod2 = &api.Pod{
+ Spec: api.PodSpec{
+ InitContainers: []api.Container{
+@@ -545,6 +564,25 @@ func TestAllowsReferencedSecret(t *testing.T) {
+ t.Errorf("Unexpected error: %v", err)
+ }
+
++ pod2 = &api.Pod{
++ Spec: api.PodSpec{
++ InitContainers: []api.Container{
++ {
++ Name: "container-1",
++ EnvFrom: []api.EnvFromSource{
++ {
++ SecretRef: &api.SecretEnvSource{
++ LocalObjectReference: api.LocalObjectReference{
++ Name: "foo"}}}},
++ },
++ },
++ },
++ }
++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
++ t.Errorf("Unexpected error: %v", err)
++ }
++
+ pod2 = &api.Pod{
+ Spec: api.PodSpec{
+ ServiceAccountName: DefaultServiceAccountName,
+@@ -572,6 +610,28 @@ func TestAllowsReferencedSecret(t *testing.T) {
+ if err := admit.Validate(context.TODO(), attrs, nil); err != nil {
+ t.Errorf("Unexpected error: %v", err)
+ }
++
++ pod2 = &api.Pod{
++ Spec: api.PodSpec{
++ ServiceAccountName: DefaultServiceAccountName,
++ EphemeralContainers: []api.EphemeralContainer{
++ {
++ EphemeralContainerCommon: api.EphemeralContainerCommon{
++ Name: "container-2",
++ EnvFrom: []api.EnvFromSource{{
++ SecretRef: &api.SecretEnvSource{
++ LocalObjectReference: api.LocalObjectReference{
++ Name: "foo"}}}},
++ },
++ },
++ },
++ },
++ }
++ // validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers"
++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil)
++ if err := admit.Validate(context.TODO(), attrs, nil); err != nil {
++ t.Errorf("Unexpected error: %v", err)
++ }
+ }
+
+ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
+@@ -628,25 +688,20 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
+
+ pod2 = &api.Pod{
+ Spec: api.PodSpec{
+- InitContainers: []api.Container{
++ Containers: []api.Container{
+ {
+ Name: "container-1",
+- Env: []api.EnvVar{
++ EnvFrom: []api.EnvFromSource{
+ {
+- Name: "env-1",
+- ValueFrom: &api.EnvVarSource{
+- SecretKeyRef: &api.SecretKeySelector{
+- LocalObjectReference: api.LocalObjectReference{Name: "foo"},
+- },
+- },
+- },
+- },
++ SecretRef: &api.SecretEnvSource{
++ LocalObjectReference: api.LocalObjectReference{
++ Name: "foo"}}}},
+ },
+ },
+ },
+ }
+ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
+- if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") {
++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
+ t.Errorf("Unexpected error: %v", err)
+ }
+
+@@ -679,6 +734,30 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
+ t.Errorf("validate only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err)
+ }
+
++ pod2 = &api.Pod{
++ Spec: api.PodSpec{
++ ServiceAccountName: DefaultServiceAccountName,
++ InitContainers: []api.Container{
++ {
++ Name: "container-1",
++ EnvFrom: []api.EnvFromSource{
++ {
++ SecretRef: &api.SecretEnvSource{
++ LocalObjectReference: api.LocalObjectReference{
++ Name: "foo"}}}},
++ },
++ },
++ },
++ }
++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Update, &metav1.UpdateOptions{}, false, nil)
++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
++ t.Errorf("admit only enforces restrictions on secret mounts when operation==create. Unexpected error: %v", err)
++ }
++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
++ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
++ t.Errorf("validate only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err)
++ }
++
+ pod2 = &api.Pod{
+ Spec: api.PodSpec{
+ ServiceAccountName: DefaultServiceAccountName,
+@@ -709,6 +788,27 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
+ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") {
+ t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err)
+ }
++
++ pod2 = &api.Pod{
++ Spec: api.PodSpec{
++ ServiceAccountName: DefaultServiceAccountName,
++ EphemeralContainers: []api.EphemeralContainer{
++ {
++ EphemeralContainerCommon: api.EphemeralContainerCommon{
++ Name: "container-2",
++ EnvFrom: []api.EnvFromSource{{
++ SecretRef: &api.SecretEnvSource{
++ LocalObjectReference: api.LocalObjectReference{
++ Name: "foo"}}}},
++ },
++ },
++ },
++ },
++ }
++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil)
++ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
++ t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err)
++ }
+ }
+
+ func TestAllowUnreferencedSecretVolumesForPermissiveSAs(t *testing.T) {
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index b0c87c47..78d1cd2a 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -35,6 +35,7 @@ SRC_URI:append = " \
file://cni-containerd-net.conflist \
file://k8s-init \
file://99-kubernetes.conf \
+ file://CVE-2024-3177.patch \
"
DEPENDS += "rsync-native \
--
2.35.7
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix for CVE-2024-3177
2024-05-03 3:49 [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix for CVE-2024-3177 Ashish Sharma
@ 2024-05-14 2:28 ` Bruce Ashfield
2024-05-17 6:18 ` Martin Jansa
0 siblings, 1 reply; 3+ messages in thread
From: Bruce Ashfield @ 2024-05-14 2:28 UTC (permalink / raw)
To: asharma; +Cc: meta-virtualization
merged to kirkstone
Bruce
In message: [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix for CVE-2024-3177
on 03/05/2024 Ashish Sharma via lists.yoctoproject.org wrote:
> Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8]
>
> Signed-off-by: Ashish Sharma <asharma@mvista.com>
> ---
> .../kubernetes/kubernetes/CVE-2024-3177.patch | 237 ++++++++++++++++++
> .../kubernetes/kubernetes_git.bb | 1 +
> 2 files changed, 238 insertions(+)
> create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
>
> diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
> new file mode 100644
> index 00000000..20b2ea8a
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
> @@ -0,0 +1,237 @@
> +From 3f0922513d235d8bdebe79f0d07da769c04211b8 Mon Sep 17 00:00:00 2001
> +From: Rita Zhang <rita.z.zhang@gmail.com>
> +Date: Mon, 25 Mar 2024 10:33:41 -0700
> +Subject: [PATCH] Add envFrom to serviceaccount admission plugin
> +
> +Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
> +
> +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8]
> +CVE: CVE-2024-3177
> +Signed-off-by: Ashish Sharma <asharma@mvista.com>
> +
> + .../pkg/admission/serviceaccount/admission.go | 21 +++
> + .../serviceaccount/admission_test.go | 122 ++++++++++++++++--
> + 2 files changed, 132 insertions(+), 11 deletions(-)
> +
> +diff --git a/plugin/pkg/admission/serviceaccount/admission.go b/plugin/pkg/admission/serviceaccount/admission.go
> +index c844a051c24b..3f4338128e53 100644
> +--- a/plugin/pkg/admission/serviceaccount/admission.go
> ++++ b/plugin/pkg/admission/serviceaccount/admission.go
> +@@ -337,6 +337,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po
> + }
> + }
> + }
> ++ for _, envFrom := range container.EnvFrom {
> ++ if envFrom.SecretRef != nil {
> ++ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
> ++ return fmt.Errorf("init container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
> ++ }
> ++ }
> ++ }
> + }
> +
> + for _, container := range pod.Spec.Containers {
> +@@ -347,6 +354,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po
> + }
> + }
> + }
> ++ for _, envFrom := range container.EnvFrom {
> ++ if envFrom.SecretRef != nil {
> ++ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
> ++ return fmt.Errorf("container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
> ++ }
> ++ }
> ++ }
> + }
> +
> + // limit pull secret references as well
> +@@ -388,6 +402,13 @@ func (s *Plugin) limitEphemeralContainerSecretReferences(pod *api.Pod, a admissi
> + }
> + }
> + }
> ++ for _, envFrom := range container.EnvFrom {
> ++ if envFrom.SecretRef != nil {
> ++ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
> ++ return fmt.Errorf("ephemeral container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
> ++ }
> ++ }
> ++ }
> + }
> + return nil
> + }
> +diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go b/plugin/pkg/admission/serviceaccount/admission_test.go
> +index bf15f870d75a..4dba6cd8b13e 100644
> +--- a/plugin/pkg/admission/serviceaccount/admission_test.go
> ++++ b/plugin/pkg/admission/serviceaccount/admission_test.go
> +@@ -521,6 +521,25 @@ func TestAllowsReferencedSecret(t *testing.T) {
> + t.Errorf("Unexpected error: %v", err)
> + }
> +
> ++ pod2 = &api.Pod{
> ++ Spec: api.PodSpec{
> ++ Containers: []api.Container{
> ++ {
> ++ Name: "container-1",
> ++ EnvFrom: []api.EnvFromSource{
> ++ {
> ++ SecretRef: &api.SecretEnvSource{
> ++ LocalObjectReference: api.LocalObjectReference{
> ++ Name: "foo"}}}},
> ++ },
> ++ },
> ++ },
> ++ }
> ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
> ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
> ++ t.Errorf("Unexpected error: %v", err)
> ++ }
> ++
> + pod2 = &api.Pod{
> + Spec: api.PodSpec{
> + InitContainers: []api.Container{
> +@@ -545,6 +564,25 @@ func TestAllowsReferencedSecret(t *testing.T) {
> + t.Errorf("Unexpected error: %v", err)
> + }
> +
> ++ pod2 = &api.Pod{
> ++ Spec: api.PodSpec{
> ++ InitContainers: []api.Container{
> ++ {
> ++ Name: "container-1",
> ++ EnvFrom: []api.EnvFromSource{
> ++ {
> ++ SecretRef: &api.SecretEnvSource{
> ++ LocalObjectReference: api.LocalObjectReference{
> ++ Name: "foo"}}}},
> ++ },
> ++ },
> ++ },
> ++ }
> ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
> ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
> ++ t.Errorf("Unexpected error: %v", err)
> ++ }
> ++
> + pod2 = &api.Pod{
> + Spec: api.PodSpec{
> + ServiceAccountName: DefaultServiceAccountName,
> +@@ -572,6 +610,28 @@ func TestAllowsReferencedSecret(t *testing.T) {
> + if err := admit.Validate(context.TODO(), attrs, nil); err != nil {
> + t.Errorf("Unexpected error: %v", err)
> + }
> ++
> ++ pod2 = &api.Pod{
> ++ Spec: api.PodSpec{
> ++ ServiceAccountName: DefaultServiceAccountName,
> ++ EphemeralContainers: []api.EphemeralContainer{
> ++ {
> ++ EphemeralContainerCommon: api.EphemeralContainerCommon{
> ++ Name: "container-2",
> ++ EnvFrom: []api.EnvFromSource{{
> ++ SecretRef: &api.SecretEnvSource{
> ++ LocalObjectReference: api.LocalObjectReference{
> ++ Name: "foo"}}}},
> ++ },
> ++ },
> ++ },
> ++ },
> ++ }
> ++ // validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers"
> ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil)
> ++ if err := admit.Validate(context.TODO(), attrs, nil); err != nil {
> ++ t.Errorf("Unexpected error: %v", err)
> ++ }
> + }
> +
> + func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
> +@@ -628,25 +688,20 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
> +
> + pod2 = &api.Pod{
> + Spec: api.PodSpec{
> +- InitContainers: []api.Container{
> ++ Containers: []api.Container{
> + {
> + Name: "container-1",
> +- Env: []api.EnvVar{
> ++ EnvFrom: []api.EnvFromSource{
> + {
> +- Name: "env-1",
> +- ValueFrom: &api.EnvVarSource{
> +- SecretKeyRef: &api.SecretKeySelector{
> +- LocalObjectReference: api.LocalObjectReference{Name: "foo"},
> +- },
> +- },
> +- },
> +- },
> ++ SecretRef: &api.SecretEnvSource{
> ++ LocalObjectReference: api.LocalObjectReference{
> ++ Name: "foo"}}}},
> + },
> + },
> + },
> + }
> + attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
> +- if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") {
> ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
> + t.Errorf("Unexpected error: %v", err)
> + }
> +
> +@@ -679,6 +734,30 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
> + t.Errorf("validate only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err)
> + }
> +
> ++ pod2 = &api.Pod{
> ++ Spec: api.PodSpec{
> ++ ServiceAccountName: DefaultServiceAccountName,
> ++ InitContainers: []api.Container{
> ++ {
> ++ Name: "container-1",
> ++ EnvFrom: []api.EnvFromSource{
> ++ {
> ++ SecretRef: &api.SecretEnvSource{
> ++ LocalObjectReference: api.LocalObjectReference{
> ++ Name: "foo"}}}},
> ++ },
> ++ },
> ++ },
> ++ }
> ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Update, &metav1.UpdateOptions{}, false, nil)
> ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
> ++ t.Errorf("admit only enforces restrictions on secret mounts when operation==create. Unexpected error: %v", err)
> ++ }
> ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
> ++ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
> ++ t.Errorf("validate only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err)
> ++ }
> ++
> + pod2 = &api.Pod{
> + Spec: api.PodSpec{
> + ServiceAccountName: DefaultServiceAccountName,
> +@@ -709,6 +788,27 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
> + if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") {
> + t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err)
> + }
> ++
> ++ pod2 = &api.Pod{
> ++ Spec: api.PodSpec{
> ++ ServiceAccountName: DefaultServiceAccountName,
> ++ EphemeralContainers: []api.EphemeralContainer{
> ++ {
> ++ EphemeralContainerCommon: api.EphemeralContainerCommon{
> ++ Name: "container-2",
> ++ EnvFrom: []api.EnvFromSource{{
> ++ SecretRef: &api.SecretEnvSource{
> ++ LocalObjectReference: api.LocalObjectReference{
> ++ Name: "foo"}}}},
> ++ },
> ++ },
> ++ },
> ++ },
> ++ }
> ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil)
> ++ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
> ++ t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err)
> ++ }
> + }
> +
> + func TestAllowUnreferencedSecretVolumesForPermissiveSAs(t *testing.T) {
> diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
> index b0c87c47..78d1cd2a 100644
> --- a/recipes-containers/kubernetes/kubernetes_git.bb
> +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> @@ -35,6 +35,7 @@ SRC_URI:append = " \
> file://cni-containerd-net.conflist \
> file://k8s-init \
> file://99-kubernetes.conf \
> + file://CVE-2024-3177.patch \
> "
>
> DEPENDS += "rsync-native \
> --
> 2.35.7
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#8715): https://lists.yoctoproject.org/g/meta-virtualization/message/8715
> Mute This Topic: https://lists.yoctoproject.org/mt/105882014/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix for CVE-2024-3177
2024-05-14 2:28 ` Bruce Ashfield
@ 2024-05-17 6:18 ` Martin Jansa
0 siblings, 0 replies; 3+ messages in thread
From: Martin Jansa @ 2024-05-17 6:18 UTC (permalink / raw)
To: bruce.ashfield; +Cc: asharma, meta-virtualization
The .patch file doesn't apply on the v1.23.17 version currently in kirkstone.
recipe-sysroot-native/etc/quiltrc push', 0, "stdout: Applying patch
CVE-2024-3177.patch
can't find file to patch at input line 20
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|From 3f0922513d235d8bdebe79f0d07da769c04211b8 Mon Sep 17 00:00:00 2001
|From: Rita Zhang <rita.z.zhang@gmail.com>
|Date: Mon, 25 Mar 2024 10:33:41 -0700
|Subject: [PATCH] Add envFrom to serviceaccount admission plugin
|
|Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
|
|Upstream-Status: Backport
[https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8]
|CVE: CVE-2024-3177
|Signed-off-by: Ashish Sharma <asharma@mvista.com>
|
| .../pkg/admission/serviceaccount/admission.go | 21 +++
| .../serviceaccount/admission_test.go | 122 ++++++++++++++++--
| 2 files changed, 132 insertions(+), 11 deletions(-)
|
|diff --git a/plugin/pkg/admission/serviceaccount/admission.go
b/plugin/pkg/admission/serviceaccount/admission.go
|index c844a051c24b..3f4338128e53 100644
|--- a/plugin/pkg/admission/serviceaccount/admission.go
|+++ b/plugin/pkg/admission/serviceaccount/admission.go
--------------------------
No file to patch. Skipping patch.
3 out of 3 hunks ignored
can't find file to patch at input line 66
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go
b/plugin/pkg/admission/serviceaccount/admission_test.go
|index bf15f870d75a..4dba6cd8b13e 100644
|--- a/plugin/pkg/admission/serviceaccount/admission_test.go
|+++ b/plugin/pkg/admission/serviceaccount/admission_test.go
--------------------------
No file to patch. Skipping patch.
6 out of 6 hunks ignored
Patch CVE-2024-3177.patch does not apply (enforce with -f)
stderr: ")
It would need to be applied in src/import subdirectory as other .patch
files here are. Will send a fix, but the original submitter should do
a better test before sending.
On Tue, May 14, 2024 at 4:28 AM Bruce Ashfield via
lists.yoctoproject.org
<bruce.ashfield=gmail.com@lists.yoctoproject.org> wrote:
>
> merged to kirkstone
>
> Bruce
>
> In message: [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix for CVE-2024-3177
> on 03/05/2024 Ashish Sharma via lists.yoctoproject.org wrote:
>
> > Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8]
> >
> > Signed-off-by: Ashish Sharma <asharma@mvista.com>
> > ---
> > .../kubernetes/kubernetes/CVE-2024-3177.patch | 237 ++++++++++++++++++
> > .../kubernetes/kubernetes_git.bb | 1 +
> > 2 files changed, 238 insertions(+)
> > create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
> >
> > diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
> > new file mode 100644
> > index 00000000..20b2ea8a
> > --- /dev/null
> > +++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
> > @@ -0,0 +1,237 @@
> > +From 3f0922513d235d8bdebe79f0d07da769c04211b8 Mon Sep 17 00:00:00 2001
> > +From: Rita Zhang <rita.z.zhang@gmail.com>
> > +Date: Mon, 25 Mar 2024 10:33:41 -0700
> > +Subject: [PATCH] Add envFrom to serviceaccount admission plugin
> > +
> > +Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
> > +
> > +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8]
> > +CVE: CVE-2024-3177
> > +Signed-off-by: Ashish Sharma <asharma@mvista.com>
> > +
> > + .../pkg/admission/serviceaccount/admission.go | 21 +++
> > + .../serviceaccount/admission_test.go | 122 ++++++++++++++++--
> > + 2 files changed, 132 insertions(+), 11 deletions(-)
> > +
> > +diff --git a/plugin/pkg/admission/serviceaccount/admission.go b/plugin/pkg/admission/serviceaccount/admission.go
> > +index c844a051c24b..3f4338128e53 100644
> > +--- a/plugin/pkg/admission/serviceaccount/admission.go
> > ++++ b/plugin/pkg/admission/serviceaccount/admission.go
> > +@@ -337,6 +337,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po
> > + }
> > + }
> > + }
> > ++ for _, envFrom := range container.EnvFrom {
> > ++ if envFrom.SecretRef != nil {
> > ++ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
> > ++ return fmt.Errorf("init container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
> > ++ }
> > ++ }
> > ++ }
> > + }
> > +
> > + for _, container := range pod.Spec.Containers {
> > +@@ -347,6 +354,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po
> > + }
> > + }
> > + }
> > ++ for _, envFrom := range container.EnvFrom {
> > ++ if envFrom.SecretRef != nil {
> > ++ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
> > ++ return fmt.Errorf("container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
> > ++ }
> > ++ }
> > ++ }
> > + }
> > +
> > + // limit pull secret references as well
> > +@@ -388,6 +402,13 @@ func (s *Plugin) limitEphemeralContainerSecretReferences(pod *api.Pod, a admissi
> > + }
> > + }
> > + }
> > ++ for _, envFrom := range container.EnvFrom {
> > ++ if envFrom.SecretRef != nil {
> > ++ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
> > ++ return fmt.Errorf("ephemeral container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
> > ++ }
> > ++ }
> > ++ }
> > + }
> > + return nil
> > + }
> > +diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go b/plugin/pkg/admission/serviceaccount/admission_test.go
> > +index bf15f870d75a..4dba6cd8b13e 100644
> > +--- a/plugin/pkg/admission/serviceaccount/admission_test.go
> > ++++ b/plugin/pkg/admission/serviceaccount/admission_test.go
> > +@@ -521,6 +521,25 @@ func TestAllowsReferencedSecret(t *testing.T) {
> > + t.Errorf("Unexpected error: %v", err)
> > + }
> > +
> > ++ pod2 = &api.Pod{
> > ++ Spec: api.PodSpec{
> > ++ Containers: []api.Container{
> > ++ {
> > ++ Name: "container-1",
> > ++ EnvFrom: []api.EnvFromSource{
> > ++ {
> > ++ SecretRef: &api.SecretEnvSource{
> > ++ LocalObjectReference: api.LocalObjectReference{
> > ++ Name: "foo"}}}},
> > ++ },
> > ++ },
> > ++ },
> > ++ }
> > ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
> > ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
> > ++ t.Errorf("Unexpected error: %v", err)
> > ++ }
> > ++
> > + pod2 = &api.Pod{
> > + Spec: api.PodSpec{
> > + InitContainers: []api.Container{
> > +@@ -545,6 +564,25 @@ func TestAllowsReferencedSecret(t *testing.T) {
> > + t.Errorf("Unexpected error: %v", err)
> > + }
> > +
> > ++ pod2 = &api.Pod{
> > ++ Spec: api.PodSpec{
> > ++ InitContainers: []api.Container{
> > ++ {
> > ++ Name: "container-1",
> > ++ EnvFrom: []api.EnvFromSource{
> > ++ {
> > ++ SecretRef: &api.SecretEnvSource{
> > ++ LocalObjectReference: api.LocalObjectReference{
> > ++ Name: "foo"}}}},
> > ++ },
> > ++ },
> > ++ },
> > ++ }
> > ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
> > ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
> > ++ t.Errorf("Unexpected error: %v", err)
> > ++ }
> > ++
> > + pod2 = &api.Pod{
> > + Spec: api.PodSpec{
> > + ServiceAccountName: DefaultServiceAccountName,
> > +@@ -572,6 +610,28 @@ func TestAllowsReferencedSecret(t *testing.T) {
> > + if err := admit.Validate(context.TODO(), attrs, nil); err != nil {
> > + t.Errorf("Unexpected error: %v", err)
> > + }
> > ++
> > ++ pod2 = &api.Pod{
> > ++ Spec: api.PodSpec{
> > ++ ServiceAccountName: DefaultServiceAccountName,
> > ++ EphemeralContainers: []api.EphemeralContainer{
> > ++ {
> > ++ EphemeralContainerCommon: api.EphemeralContainerCommon{
> > ++ Name: "container-2",
> > ++ EnvFrom: []api.EnvFromSource{{
> > ++ SecretRef: &api.SecretEnvSource{
> > ++ LocalObjectReference: api.LocalObjectReference{
> > ++ Name: "foo"}}}},
> > ++ },
> > ++ },
> > ++ },
> > ++ },
> > ++ }
> > ++ // validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers"
> > ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil)
> > ++ if err := admit.Validate(context.TODO(), attrs, nil); err != nil {
> > ++ t.Errorf("Unexpected error: %v", err)
> > ++ }
> > + }
> > +
> > + func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
> > +@@ -628,25 +688,20 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
> > +
> > + pod2 = &api.Pod{
> > + Spec: api.PodSpec{
> > +- InitContainers: []api.Container{
> > ++ Containers: []api.Container{
> > + {
> > + Name: "container-1",
> > +- Env: []api.EnvVar{
> > ++ EnvFrom: []api.EnvFromSource{
> > + {
> > +- Name: "env-1",
> > +- ValueFrom: &api.EnvVarSource{
> > +- SecretKeyRef: &api.SecretKeySelector{
> > +- LocalObjectReference: api.LocalObjectReference{Name: "foo"},
> > +- },
> > +- },
> > +- },
> > +- },
> > ++ SecretRef: &api.SecretEnvSource{
> > ++ LocalObjectReference: api.LocalObjectReference{
> > ++ Name: "foo"}}}},
> > + },
> > + },
> > + },
> > + }
> > + attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
> > +- if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") {
> > ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
> > + t.Errorf("Unexpected error: %v", err)
> > + }
> > +
> > +@@ -679,6 +734,30 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
> > + t.Errorf("validate only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err)
> > + }
> > +
> > ++ pod2 = &api.Pod{
> > ++ Spec: api.PodSpec{
> > ++ ServiceAccountName: DefaultServiceAccountName,
> > ++ InitContainers: []api.Container{
> > ++ {
> > ++ Name: "container-1",
> > ++ EnvFrom: []api.EnvFromSource{
> > ++ {
> > ++ SecretRef: &api.SecretEnvSource{
> > ++ LocalObjectReference: api.LocalObjectReference{
> > ++ Name: "foo"}}}},
> > ++ },
> > ++ },
> > ++ },
> > ++ }
> > ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Update, &metav1.UpdateOptions{}, false, nil)
> > ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
> > ++ t.Errorf("admit only enforces restrictions on secret mounts when operation==create. Unexpected error: %v", err)
> > ++ }
> > ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
> > ++ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
> > ++ t.Errorf("validate only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err)
> > ++ }
> > ++
> > + pod2 = &api.Pod{
> > + Spec: api.PodSpec{
> > + ServiceAccountName: DefaultServiceAccountName,
> > +@@ -709,6 +788,27 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
> > + if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") {
> > + t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err)
> > + }
> > ++
> > ++ pod2 = &api.Pod{
> > ++ Spec: api.PodSpec{
> > ++ ServiceAccountName: DefaultServiceAccountName,
> > ++ EphemeralContainers: []api.EphemeralContainer{
> > ++ {
> > ++ EphemeralContainerCommon: api.EphemeralContainerCommon{
> > ++ Name: "container-2",
> > ++ EnvFrom: []api.EnvFromSource{{
> > ++ SecretRef: &api.SecretEnvSource{
> > ++ LocalObjectReference: api.LocalObjectReference{
> > ++ Name: "foo"}}}},
> > ++ },
> > ++ },
> > ++ },
> > ++ },
> > ++ }
> > ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil)
> > ++ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
> > ++ t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err)
> > ++ }
> > + }
> > +
> > + func TestAllowUnreferencedSecretVolumesForPermissiveSAs(t *testing.T) {
> > diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
> > index b0c87c47..78d1cd2a 100644
> > --- a/recipes-containers/kubernetes/kubernetes_git.bb
> > +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> > @@ -35,6 +35,7 @@ SRC_URI:append = " \
> > file://cni-containerd-net.conflist \
> > file://k8s-init \
> > file://99-kubernetes.conf \
> > + file://CVE-2024-3177.patch \
> > "
> >
> > DEPENDS += "rsync-native \
> > --
> > 2.35.7
> >
>
> >
> >
> >
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#8720): https://lists.yoctoproject.org/g/meta-virtualization/message/8720
> Mute This Topic: https://lists.yoctoproject.org/mt/105882014/3617156
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [martin.jansa@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-05-17 6:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-05-03 3:49 [meta-virtualization][kirkstone][PATCH] kubernetes: Backport fix for CVE-2024-3177 Ashish Sharma
2024-05-14 2:28 ` Bruce Ashfield
2024-05-17 6:18 ` Martin Jansa
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.