From: Bruce Ashfield <bruce.ashfield@gmail.com>
To: vanusuri@mvista.com
Cc: meta-virtualization@lists.yoctoproject.org
Subject: Re: [meta-virtualization] [meta-vitualization][scarthgap][patch v2] kubernetes: Fix CVE-2024-3177
Date: Tue, 6 Jan 2026 14:41:48 -0500 [thread overview]
Message-ID: <aV1lfNwXKBg8NQZL@gmail.com> (raw)
In-Reply-To: <20251211065326.61303-1-vanusuri@mvista.com>
merged.
Bruce
In message: [meta-virtualization] [meta-vitualization][scarthgap][patch v2] kubernetes: Fix CVE-2024-3177
on 11/12/2025 Vijay Anusuri via lists.yoctoproject.org wrote:
> Upstream-commit: https://github.com/kubernetes/kubernetes/commit/34546f4725df0d5493b4e18e3229d3ed201fe260
>
> Reference: https://github.com/kubernetes/kubernetes/issues/124336
>
> Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> ---
> .../kubernetes/kubernetes/CVE-2024-3177.patch | 237 ++++++++++++++++++
> .../kubernetes/kubernetes_git.bb | 1 +
> 2 files changed, 238 insertions(+)
> create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
>
> diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
> new file mode 100644
> index 00000000..e6b2c6c4
> --- /dev/null
> +++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch
> @@ -0,0 +1,237 @@
> +From 34546f4725df0d5493b4e18e3229d3ed201fe260 Mon Sep 17 00:00:00 2001
> +From: Rita Zhang <rita.z.zhang@gmail.com>
> +Date: Mon, 25 Mar 2024 10:33:41 -0700
> +Subject: [PATCH] Add envFrom to serviceaccount admission plugin
> +
> +Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
> +
> +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/34546f4725df0d5493b4e18e3229d3ed201fe260]
> +CVE: CVE-2024-3177
> +Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
> +---
> + .../pkg/admission/serviceaccount/admission.go | 21 +++
> + .../serviceaccount/admission_test.go | 122 ++++++++++++++++--
> + 2 files changed, 132 insertions(+), 11 deletions(-)
> +
> +diff --git a/plugin/pkg/admission/serviceaccount/admission.go b/plugin/pkg/admission/serviceaccount/admission.go
> +index c844a051c24b3..3f4338128e53c 100644
> +--- a/plugin/pkg/admission/serviceaccount/admission.go
> ++++ b/plugin/pkg/admission/serviceaccount/admission.go
> +@@ -337,6 +337,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po
> + }
> + }
> + }
> ++ for _, envFrom := range container.EnvFrom {
> ++ if envFrom.SecretRef != nil {
> ++ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
> ++ return fmt.Errorf("init container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
> ++ }
> ++ }
> ++ }
> + }
> +
> + for _, container := range pod.Spec.Containers {
> +@@ -347,6 +354,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po
> + }
> + }
> + }
> ++ for _, envFrom := range container.EnvFrom {
> ++ if envFrom.SecretRef != nil {
> ++ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
> ++ return fmt.Errorf("container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
> ++ }
> ++ }
> ++ }
> + }
> +
> + // limit pull secret references as well
> +@@ -388,6 +402,13 @@ func (s *Plugin) limitEphemeralContainerSecretReferences(pod *api.Pod, a admissi
> + }
> + }
> + }
> ++ for _, envFrom := range container.EnvFrom {
> ++ if envFrom.SecretRef != nil {
> ++ if !mountableSecrets.Has(envFrom.SecretRef.Name) {
> ++ return fmt.Errorf("ephemeral container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name)
> ++ }
> ++ }
> ++ }
> + }
> + return nil
> + }
> +diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go b/plugin/pkg/admission/serviceaccount/admission_test.go
> +index b5155f5cd33e6..01b08da455f47 100644
> +--- a/plugin/pkg/admission/serviceaccount/admission_test.go
> ++++ b/plugin/pkg/admission/serviceaccount/admission_test.go
> +@@ -520,6 +520,25 @@ func TestAllowsReferencedSecret(t *testing.T) {
> + t.Errorf("Unexpected error: %v", err)
> + }
> +
> ++ pod2 = &api.Pod{
> ++ Spec: api.PodSpec{
> ++ Containers: []api.Container{
> ++ {
> ++ Name: "container-1",
> ++ EnvFrom: []api.EnvFromSource{
> ++ {
> ++ SecretRef: &api.SecretEnvSource{
> ++ LocalObjectReference: api.LocalObjectReference{
> ++ Name: "foo"}}}},
> ++ },
> ++ },
> ++ },
> ++ }
> ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
> ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
> ++ t.Errorf("Unexpected error: %v", err)
> ++ }
> ++
> + pod2 = &api.Pod{
> + Spec: api.PodSpec{
> + InitContainers: []api.Container{
> +@@ -544,6 +563,25 @@ func TestAllowsReferencedSecret(t *testing.T) {
> + t.Errorf("Unexpected error: %v", err)
> + }
> +
> ++ pod2 = &api.Pod{
> ++ Spec: api.PodSpec{
> ++ InitContainers: []api.Container{
> ++ {
> ++ Name: "container-1",
> ++ EnvFrom: []api.EnvFromSource{
> ++ {
> ++ SecretRef: &api.SecretEnvSource{
> ++ LocalObjectReference: api.LocalObjectReference{
> ++ Name: "foo"}}}},
> ++ },
> ++ },
> ++ },
> ++ }
> ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
> ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
> ++ t.Errorf("Unexpected error: %v", err)
> ++ }
> ++
> + pod2 = &api.Pod{
> + Spec: api.PodSpec{
> + ServiceAccountName: DefaultServiceAccountName,
> +@@ -571,6 +609,28 @@ func TestAllowsReferencedSecret(t *testing.T) {
> + if err := admit.Validate(context.TODO(), attrs, nil); err != nil {
> + t.Errorf("Unexpected error: %v", err)
> + }
> ++
> ++ pod2 = &api.Pod{
> ++ Spec: api.PodSpec{
> ++ ServiceAccountName: DefaultServiceAccountName,
> ++ EphemeralContainers: []api.EphemeralContainer{
> ++ {
> ++ EphemeralContainerCommon: api.EphemeralContainerCommon{
> ++ Name: "container-2",
> ++ EnvFrom: []api.EnvFromSource{{
> ++ SecretRef: &api.SecretEnvSource{
> ++ LocalObjectReference: api.LocalObjectReference{
> ++ Name: "foo"}}}},
> ++ },
> ++ },
> ++ },
> ++ },
> ++ }
> ++ // validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers"
> ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil)
> ++ if err := admit.Validate(context.TODO(), attrs, nil); err != nil {
> ++ t.Errorf("Unexpected error: %v", err)
> ++ }
> + }
> +
> + func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
> +@@ -627,25 +687,20 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
> +
> + pod2 = &api.Pod{
> + Spec: api.PodSpec{
> +- InitContainers: []api.Container{
> ++ Containers: []api.Container{
> + {
> + Name: "container-1",
> +- Env: []api.EnvVar{
> ++ EnvFrom: []api.EnvFromSource{
> + {
> +- Name: "env-1",
> +- ValueFrom: &api.EnvVarSource{
> +- SecretKeyRef: &api.SecretKeySelector{
> +- LocalObjectReference: api.LocalObjectReference{Name: "foo"},
> +- },
> +- },
> +- },
> +- },
> ++ SecretRef: &api.SecretEnvSource{
> ++ LocalObjectReference: api.LocalObjectReference{
> ++ Name: "foo"}}}},
> + },
> + },
> + },
> + }
> + attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
> +- if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") {
> ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
> + t.Errorf("Unexpected error: %v", err)
> + }
> +
> +@@ -678,6 +733,30 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
> + t.Errorf("validate only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err)
> + }
> +
> ++ pod2 = &api.Pod{
> ++ Spec: api.PodSpec{
> ++ ServiceAccountName: DefaultServiceAccountName,
> ++ InitContainers: []api.Container{
> ++ {
> ++ Name: "container-1",
> ++ EnvFrom: []api.EnvFromSource{
> ++ {
> ++ SecretRef: &api.SecretEnvSource{
> ++ LocalObjectReference: api.LocalObjectReference{
> ++ Name: "foo"}}}},
> ++ },
> ++ },
> ++ },
> ++ }
> ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Update, &metav1.UpdateOptions{}, false, nil)
> ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
> ++ t.Errorf("admit only enforces restrictions on secret mounts when operation==create. Unexpected error: %v", err)
> ++ }
> ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
> ++ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
> ++ t.Errorf("validate only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err)
> ++ }
> ++
> + pod2 = &api.Pod{
> + Spec: api.PodSpec{
> + ServiceAccountName: DefaultServiceAccountName,
> +@@ -708,6 +787,27 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
> + if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") {
> + t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err)
> + }
> ++
> ++ pod2 = &api.Pod{
> ++ Spec: api.PodSpec{
> ++ ServiceAccountName: DefaultServiceAccountName,
> ++ EphemeralContainers: []api.EphemeralContainer{
> ++ {
> ++ EphemeralContainerCommon: api.EphemeralContainerCommon{
> ++ Name: "container-2",
> ++ EnvFrom: []api.EnvFromSource{{
> ++ SecretRef: &api.SecretEnvSource{
> ++ LocalObjectReference: api.LocalObjectReference{
> ++ Name: "foo"}}}},
> ++ },
> ++ },
> ++ },
> ++ },
> ++ }
> ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil)
> ++ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") {
> ++ t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err)
> ++ }
> + }
> +
> + func TestAllowUnreferencedSecretVolumesForPermissiveSAs(t *testing.T) {
> diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
> index 5339371c..ab322306 100644
> --- a/recipes-containers/kubernetes/kubernetes_git.bb
> +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> @@ -36,6 +36,7 @@ SRC_URI:append = " \
> file://99-kubernetes.conf \
> file://CVE-2025-5187.patch \
> file://CVE-2024-10220.patch \
> + file://CVE-2024-3177.patch \
> "
>
> DEPENDS += "rsync-native \
> --
> 2.43.0
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#9479): https://lists.yoctoproject.org/g/meta-virtualization/message/9479
> Mute This Topic: https://lists.yoctoproject.org/mt/116725677/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
prev parent reply other threads:[~2026-01-06 19:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-11 6:53 [meta-vitualization][scarthgap][patch v2] kubernetes: Fix CVE-2024-3177 Vijay Anusuri
2026-01-06 19:41 ` Bruce Ashfield [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aV1lfNwXKBg8NQZL@gmail.com \
--to=bruce.ashfield@gmail.com \
--cc=meta-virtualization@lists.yoctoproject.org \
--cc=vanusuri@mvista.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox