diff --git a/0001-fix-compile-options.patch b/0001-fix-compile-options.patch new file mode 100644 index 0000000..d30d915 --- /dev/null +++ b/0001-fix-compile-options.patch @@ -0,0 +1,42 @@ +From 6f69a95a25dc6fb1b3d0e024cb28f5c83022dc58 Mon Sep 17 00:00:00 2001 +From: zhangxiaoyu +Date: Tue, 3 Jan 2023 14:19:44 +0800 +Subject: fix compile options + +Signed-off-by: zhangxiaoyu +--- + hack/lib/golang.sh | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh +index 2865da28..ed64483e 100755 +--- a/hack/lib/golang.sh ++++ b/hack/lib/golang.sh +@@ -709,6 +709,7 @@ kube::golang::build_binaries_for_platform() { + -installsuffix=static + ${goflags:+"${goflags[@]}"} + -gcflags="${gogcflags}" ++ -buildmode=pie + -asmflags="${goasmflags}" + -ldflags="${goldflags}" + -tags="${gotags:-}" +@@ -720,6 +721,7 @@ kube::golang::build_binaries_for_platform() { + build_args=( + ${goflags:+"${goflags[@]}"} + -gcflags="${gogcflags}" ++ -buildmode=pie + -asmflags="${goasmflags}" + -ldflags="${goldflags}" + -tags="${gotags:-}" +@@ -808,7 +810,7 @@ kube::golang::build_binaries() { + gogcflags="${gogcflags} -N -l" + fi + +- goldflags="all=$(kube::version::ldflags) ${GOLDFLAGS:-}" ++ goldflags="all=$(kube::version::ldflags) ${GOLDFLAGS:-} -linkmode=external" + if [[ "${DBG:-}" != 1 ]]; then + # Not debugging - disable symbols and DWARF. + goldflags="${goldflags} -s -w" +-- +2.25.1 + diff --git a/0002-fix-compile-options.patch b/0002-fix-compile-options.patch deleted file mode 100644 index b63b9ba..0000000 --- a/0002-fix-compile-options.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 64a21ff088bc4271f596cd1e622d50293eb9566a Mon Sep 17 00:00:00 2001 -From: WangFengTu -Date: Mon, 22 Mar 2021 14:31:00 +0800 -Subject: [PATCH] fix compile options - -Signed-off-by: WangFengTu ---- - hack/lib/golang.sh | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh -index bef1d837..6d467a8e 100755 ---- a/hack/lib/golang.sh -+++ b/hack/lib/golang.sh -@@ -701,6 +701,7 @@ kube::golang::build_binaries_for_platform() { - -installsuffix static - ${goflags:+"${goflags[@]}"} - -gcflags "${gogcflags:-}" -+ -buildmode=pie - -asmflags "${goasmflags:-}" - -ldflags "${goldflags:-}" - -tags "${gotags:-}" -@@ -712,6 +713,7 @@ kube::golang::build_binaries_for_platform() { - build_args=( - ${goflags:+"${goflags[@]}"} - -gcflags "${gogcflags:-}" -+ -buildmode=pie - -asmflags "${goasmflags:-}" - -ldflags "${goldflags:-}" - -tags "${gotags:-}" -@@ -787,7 +789,7 @@ kube::golang::build_binaries() { - # Disable SC2153 for this, as it will throw a warning that the local - # variable goldflags will exist, and it suggest changing it to this. - # shellcheck disable=SC2153 -- goldflags="${GOLDFLAGS=-s -w -buildid=} $(kube::version::ldflags)" -+ goldflags="${GOLDFLAGS=-s -w -buildid=} $(kube::version::ldflags) -linkmode=external" - goasmflags="-trimpath=${KUBE_ROOT}" - gogcflags="${GOGCFLAGS:-} -trimpath=${KUBE_ROOT}" - --- -2.25.1 - diff --git a/0001-kubelet-support-exec-websocket-protocol.patch b/0002-kubelet-support-exec-and-attach-websocket-protocol.patch similarity index 74% rename from 0001-kubelet-support-exec-websocket-protocol.patch rename to 0002-kubelet-support-exec-and-attach-websocket-protocol.patch index ad08e35..9c16e4b 100644 --- a/0001-kubelet-support-exec-websocket-protocol.patch +++ b/0002-kubelet-support-exec-and-attach-websocket-protocol.patch @@ -1,21 +1,21 @@ -From ac8fda0c77cb588f59aff7c86c05933a7a2d77c4 Mon Sep 17 00:00:00 2001 -From: gaohuatao -Date: Wed, 3 Feb 2021 14:59:37 +0800 -Subject: [PATCH] kubelet support exec websocket protocol +From 2bdde6764d529d9f0633178b171aa193280d6ecb Mon Sep 17 00:00:00 2001 +From: zhangxiaoyu +Date: Tue, 3 Jan 2023 14:20:10 +0800 +Subject: kubelet support exec and attach websocket protocol -Signed-off-by: gaohuatao +Signed-off-by: zhangxiaoyu --- - .../cri/streaming/remotecommand/proxy.go | 197 ++++++++++++++++++ - pkg/kubelet/server/server.go | 21 +- - 2 files changed, 214 insertions(+), 4 deletions(-) + .../cri/streaming/remotecommand/proxy.go | 206 ++++++++++++++++++ + pkg/kubelet/server/server.go | 43 +++- + 2 files changed, 241 insertions(+), 8 deletions(-) create mode 100644 pkg/kubelet/cri/streaming/remotecommand/proxy.go diff --git a/pkg/kubelet/cri/streaming/remotecommand/proxy.go b/pkg/kubelet/cri/streaming/remotecommand/proxy.go new file mode 100644 -index 00000000..5b99747c +index 00000000..f21629af --- /dev/null +++ b/pkg/kubelet/cri/streaming/remotecommand/proxy.go -@@ -0,0 +1,197 @@ +@@ -0,0 +1,206 @@ +package remotecommand + +import ( @@ -187,14 +187,23 @@ index 00000000..5b99747c + websocket.DefaultDialer.ReadBufferSize = 128 * 1024 + websocket.DefaultDialer.WriteBufferSize = 128 * 1024 + ws, resp, err := websocket.DefaultDialer.Dial(addr, h) -+ if err != nil { ++ if err == nil { ++ return ws, nil ++ } ++ msg := fmt.Errorf("dial failed: %v, response Body is nil", err) ++ if resp != nil && resp.Body != nil { ++ defer func() { ++ //websocket buffer size maybe not enough and cause panic ++ if e := recover(); e != nil { ++ msg = fmt.Errorf("dial failed: %v, response panic %v", err, e) ++ } ++ resp.Body.Close() ++ }() + var body bytes.Buffer + body.ReadFrom(resp.Body) -+ defer resp.Body.Close() -+ msg := fmt.Errorf("dial failed: %v, response is: %v", err, body.String()) -+ return nil, msg ++ msg = fmt.Errorf("dial failed: %v, response is: %v", err, body.String()) + } -+ return ws, nil ++ return nil, msg +} + +type rwc struct { @@ -214,10 +223,53 @@ index 00000000..5b99747c + return len(p), nil +} diff --git a/pkg/kubelet/server/server.go b/pkg/kubelet/server/server.go -index 2b033e2c..1d19fed6 100644 +index 127192e0..cd11f807 100644 --- a/pkg/kubelet/server/server.go +++ b/pkg/kubelet/server/server.go -@@ -782,26 +782,39 @@ func (s *Server) getAttach(request *restful.Request, response *restful.Response) +@@ -769,51 +769,78 @@ func proxyStream(w http.ResponseWriter, r *http.Request, url *url.URL) { + + // getAttach handles requests to attach to a container. + func (s *Server) getAttach(request *restful.Request, response *restful.Response) { +- params := getExecRequestParams(request) + streamOpts, err := remotecommandserver.NewOptions(request.Request) + if err != nil { + utilruntime.HandleError(err) + response.WriteError(http.StatusBadRequest, err) + return + } ++ ++ url, err := s.getAttachUrl(request, response, streamOpts) ++ if err != nil { ++ klog.Errorf("failed to get backend url %v", err) ++ return ++ } ++ if url.Scheme == "ws" || url.Scheme == "wss" { ++ remotecommandserver.ProxyToWebSocket(response.ResponseWriter, request.Request, url, streamOpts) ++ } else { ++ proxyStream(response.ResponseWriter, request.Request, url) ++ } ++} ++ ++func (s *Server) getAttachUrl(request *restful.Request, response *restful.Response, streamOpts *remotecommandserver.Options) (*url.URL, error) { ++ params := getExecRequestParams(request) + pod, ok := s.host.GetPodByName(params.podNamespace, params.podName) + if !ok { + response.WriteError(http.StatusNotFound, fmt.Errorf("pod does not exist")) +- return ++ return nil, fmt.Errorf("pod not found") + } + + podFullName := kubecontainer.GetPodFullName(pod) + url, err := s.host.GetAttach(podFullName, params.podUID, params.containerName, *streamOpts) + if err != nil { + streaming.WriteError(err, response.ResponseWriter) +- return ++ return nil, err + } + +- proxyStream(response.ResponseWriter, request.Request, url) ++ return url, nil + } // getExec handles requests to run a command inside a container. func (s *Server) getExec(request *restful.Request, response *restful.Response) { @@ -262,5 +314,5 @@ index 2b033e2c..1d19fed6 100644 // getRun handles requests to run a command inside a container. -- -2.20.1 +2.25.1 diff --git a/0003-fix-CVE-2021-25735.patch b/0003-fix-CVE-2021-25735.patch deleted file mode 100644 index 98e3e40..0000000 --- a/0003-fix-CVE-2021-25735.patch +++ /dev/null @@ -1,394 +0,0 @@ -Reference: https://github.com/kubernetes/kubernetes/pull/100315/files - -diff --git a/pkg/apis/apps/validation/validation.go b/pkg/apis/apps/validation/validation.go -index e297c8a..ef784d6 100644 ---- a/pkg/apis/apps/validation/validation.go -+++ b/pkg/apis/apps/validation/validation.go -@@ -144,21 +144,15 @@ func ValidateStatefulSet(statefulSet *apps.StatefulSet) field.ErrorList { - func ValidateStatefulSetUpdate(statefulSet, oldStatefulSet *apps.StatefulSet) field.ErrorList { - allErrs := apivalidation.ValidateObjectMetaUpdate(&statefulSet.ObjectMeta, &oldStatefulSet.ObjectMeta, field.NewPath("metadata")) - -- restoreReplicas := statefulSet.Spec.Replicas -- statefulSet.Spec.Replicas = oldStatefulSet.Spec.Replicas -- -- restoreTemplate := statefulSet.Spec.Template -- statefulSet.Spec.Template = oldStatefulSet.Spec.Template -- -- restoreStrategy := statefulSet.Spec.UpdateStrategy -- statefulSet.Spec.UpdateStrategy = oldStatefulSet.Spec.UpdateStrategy -- -- if !apiequality.Semantic.DeepEqual(statefulSet.Spec, oldStatefulSet.Spec) { -+ // statefulset updates aren't super common and general updates are likely to be touching spec, so we'll do this -+ // deep copy right away. This avoids mutating our inputs -+ newStatefulSetClone := statefulSet.DeepCopy() -+ newStatefulSetClone.Spec.Replicas = oldStatefulSet.Spec.Replicas // +k8s:verify-mutation:reason=clone -+ newStatefulSetClone.Spec.Template = oldStatefulSet.Spec.Template // +k8s:verify-mutation:reason=clone -+ newStatefulSetClone.Spec.UpdateStrategy = oldStatefulSet.Spec.UpdateStrategy // +k8s:verify-mutation:reason=clone -+ if !apiequality.Semantic.DeepEqual(newStatefulSetClone.Spec, oldStatefulSet.Spec) { - allErrs = append(allErrs, field.Forbidden(field.NewPath("spec"), "updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden")) - } -- statefulSet.Spec.Replicas = restoreReplicas -- statefulSet.Spec.Template = restoreTemplate -- statefulSet.Spec.UpdateStrategy = restoreStrategy - - allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(statefulSet.Spec.Replicas), field.NewPath("spec", "replicas"))...) - return allErrs -diff --git a/pkg/apis/core/validation/BUILD b/pkg/apis/core/validation/BUILD -index 70d2bd7..d65041e 100644 ---- a/pkg/apis/core/validation/BUILD -+++ b/pkg/apis/core/validation/BUILD -@@ -41,7 +41,6 @@ go_library( - "//staging/src/k8s.io/apimachinery/pkg/util/validation:go_default_library", - "//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", -- "//vendor/k8s.io/klog/v2:go_default_library", - "//vendor/k8s.io/utils/net:go_default_library", - ], - ) -diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go -index fd34771..af58e0e 100644 ---- a/pkg/apis/core/validation/validation.go -+++ b/pkg/apis/core/validation/validation.go -@@ -29,8 +29,6 @@ import ( - "unicode" - "unicode/utf8" - -- "k8s.io/klog/v2" -- - v1 "k8s.io/api/core/v1" - apiequality "k8s.io/apimachinery/pkg/api/equality" - "k8s.io/apimachinery/pkg/api/resource" -@@ -1944,13 +1942,11 @@ func ValidatePersistentVolumeUpdate(newPv, oldPv *core.PersistentVolume) field.E - } - - // ValidatePersistentVolumeStatusUpdate tests to see if the status update is legal for an end user to make. --// newPv is updated with fields that cannot be changed. - func ValidatePersistentVolumeStatusUpdate(newPv, oldPv *core.PersistentVolume) field.ErrorList { - allErrs := ValidateObjectMetaUpdate(&newPv.ObjectMeta, &oldPv.ObjectMeta, field.NewPath("metadata")) - if len(newPv.ResourceVersion) == 0 { - allErrs = append(allErrs, field.Required(field.NewPath("resourceVersion"), "")) - } -- newPv.Spec = oldPv.Spec - return allErrs - } - -@@ -2023,7 +2019,7 @@ func ValidatePersistentVolumeClaimUpdate(newPvc, oldPvc *core.PersistentVolumeCl - // Claims are immutable in order to enforce quota, range limits, etc. without gaming the system. - if len(oldPvc.Spec.VolumeName) == 0 { - // volumeName changes are allowed once. -- oldPvcClone.Spec.VolumeName = newPvcClone.Spec.VolumeName -+ oldPvcClone.Spec.VolumeName = newPvcClone.Spec.VolumeName // +k8s:verify-mutation:reason=clone - } - - if validateStorageClassUpgrade(oldPvcClone.Annotations, newPvcClone.Annotations, -@@ -2039,7 +2035,7 @@ func ValidatePersistentVolumeClaimUpdate(newPvc, oldPvc *core.PersistentVolumeCl - if utilfeature.DefaultFeatureGate.Enabled(features.ExpandPersistentVolumes) { - // lets make sure storage values are same. - if newPvc.Status.Phase == core.ClaimBound && newPvcClone.Spec.Resources.Requests != nil { -- newPvcClone.Spec.Resources.Requests["storage"] = oldPvc.Spec.Resources.Requests["storage"] -+ newPvcClone.Spec.Resources.Requests["storage"] = oldPvc.Spec.Resources.Requests["storage"] // +k8s:verify-mutation:reason=clone - } - - oldSize := oldPvc.Spec.Resources.Requests["storage"] -@@ -2096,7 +2092,6 @@ func ValidatePersistentVolumeClaimStatusUpdate(newPvc, oldPvc *core.PersistentVo - for r, qty := range newPvc.Status.Capacity { - allErrs = append(allErrs, validateBasicResource(qty, capPath.Key(string(r)))...) - } -- newPvc.Spec = oldPvc.Spec - return allErrs - } - -@@ -2419,13 +2414,13 @@ func GetVolumeMountMap(mounts []core.VolumeMount) map[string]string { - } - - func GetVolumeDeviceMap(devices []core.VolumeDevice) map[string]string { -- voldevices := make(map[string]string) -+ volDevices := make(map[string]string) - - for _, dev := range devices { -- voldevices[dev.Name] = dev.DevicePath -+ volDevices[dev.Name] = dev.DevicePath - } - -- return voldevices -+ return volDevices - } - - func ValidateVolumeMounts(mounts []core.VolumeMount, voldevices map[string]string, volumes map[string]core.VolumeSource, container *core.Container, fldPath *field.Path) field.ErrorList { -@@ -3089,10 +3084,11 @@ func validateOnlyAddedTolerations(newTolerations []core.Toleration, oldToleratio - allErrs := field.ErrorList{} - for _, old := range oldTolerations { - found := false -- old.TolerationSeconds = nil -- for _, new := range newTolerations { -- new.TolerationSeconds = nil -- if reflect.DeepEqual(old, new) { -+ oldTolerationClone := old.DeepCopy() -+ for _, newToleration := range newTolerations { -+ // assign to our clone before doing a deep equal so we can allow tolerationseconds to change. -+ oldTolerationClone.TolerationSeconds = newToleration.TolerationSeconds // +k8s:verify-mutation:reason=clone -+ if reflect.DeepEqual(*oldTolerationClone, newToleration) { - found = true - break - } -@@ -3970,37 +3966,44 @@ func ValidatePodUpdate(newPod, oldPod *core.Pod, opts PodValidationOptions) fiel - allErrs = append(allErrs, field.Invalid(specPath.Child("activeDeadlineSeconds"), newPod.Spec.ActiveDeadlineSeconds, "must not update from a positive integer to nil value")) - } - -+ // Allow only additions to tolerations updates. -+ allErrs = append(allErrs, validateOnlyAddedTolerations(newPod.Spec.Tolerations, oldPod.Spec.Tolerations, specPath.Child("tolerations"))...) -+ -+ // the last thing to check is pod spec equality. If the pod specs are equal, then we can simply return the errors we have -+ // so far and save the cost of a deep copy. -+ if apiequality.Semantic.DeepEqual(newPod.Spec, oldPod.Spec) { -+ return allErrs -+ } -+ - // handle updateable fields by munging those fields prior to deep equal comparison. -- mungedPod := *newPod -+ mungedPodSpec := *newPod.Spec.DeepCopy() - // munge spec.containers[*].image - var newContainers []core.Container -- for ix, container := range mungedPod.Spec.Containers { -- container.Image = oldPod.Spec.Containers[ix].Image -+ for ix, container := range mungedPodSpec.Containers { -+ container.Image = oldPod.Spec.Containers[ix].Image // +k8s:verify-mutation:reason=clone - newContainers = append(newContainers, container) - } -- mungedPod.Spec.Containers = newContainers -+ mungedPodSpec.Containers = newContainers - // munge spec.initContainers[*].image - var newInitContainers []core.Container -- for ix, container := range mungedPod.Spec.InitContainers { -- container.Image = oldPod.Spec.InitContainers[ix].Image -+ for ix, container := range mungedPodSpec.InitContainers { -+ container.Image = oldPod.Spec.InitContainers[ix].Image // +k8s:verify-mutation:reason=clone - newInitContainers = append(newInitContainers, container) - } -- mungedPod.Spec.InitContainers = newInitContainers -+ mungedPodSpec.InitContainers = newInitContainers - // munge spec.activeDeadlineSeconds -- mungedPod.Spec.ActiveDeadlineSeconds = nil -+ mungedPodSpec.ActiveDeadlineSeconds = nil - if oldPod.Spec.ActiveDeadlineSeconds != nil { - activeDeadlineSeconds := *oldPod.Spec.ActiveDeadlineSeconds -- mungedPod.Spec.ActiveDeadlineSeconds = &activeDeadlineSeconds -+ mungedPodSpec.ActiveDeadlineSeconds = &activeDeadlineSeconds - } -+ // tolerations are checked before the deep copy, so munge those too -+ mungedPodSpec.Tolerations = oldPod.Spec.Tolerations // +k8s:verify-mutation:reason=clone - -- // Allow only additions to tolerations updates. -- mungedPod.Spec.Tolerations = oldPod.Spec.Tolerations -- allErrs = append(allErrs, validateOnlyAddedTolerations(newPod.Spec.Tolerations, oldPod.Spec.Tolerations, specPath.Child("tolerations"))...) -- -- if !apiequality.Semantic.DeepEqual(mungedPod.Spec, oldPod.Spec) { -+ if !apiequality.Semantic.DeepEqual(mungedPodSpec, oldPod.Spec) { - // This diff isn't perfect, but it's a helluva lot better an "I'm not going to tell you what the difference is". - //TODO: Pinpoint the specific field that causes the invalid error after we have strategic merge diff -- specDiff := diff.ObjectDiff(mungedPod.Spec, oldPod.Spec) -+ specDiff := diff.ObjectDiff(mungedPodSpec, oldPod.Spec) - allErrs = append(allErrs, field.Forbidden(specPath, fmt.Sprintf("pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds` or `spec.tolerations` (only additions to existing tolerations)\n%v", specDiff))) - } - -@@ -4032,8 +4035,7 @@ func ValidateContainerStateTransition(newStatuses, oldStatuses []core.ContainerS - return allErrs - } - --// ValidatePodStatusUpdate tests to see if the update is legal for an end user to make. newPod is updated with fields --// that cannot be changed. -+// ValidatePodStatusUpdate tests to see if the update is legal for an end user to make. - func ValidatePodStatusUpdate(newPod, oldPod *core.Pod) field.ErrorList { - fldPath := field.NewPath("metadata") - allErrs := ValidateObjectMetaUpdate(&newPod.ObjectMeta, &oldPod.ObjectMeta, fldPath) -@@ -4064,9 +4066,6 @@ func ValidatePodStatusUpdate(newPod, oldPod *core.Pod) field.ErrorList { - } - } - -- // For status update we ignore changes to pod spec. -- newPod.Spec = oldPod.Spec -- - return allErrs - } - -@@ -4754,11 +4753,8 @@ func ValidateNodeUpdate(node, oldNode *core.Node) field.ErrorList { - addresses[address] = true - } - -- if len(oldNode.Spec.PodCIDRs) == 0 { -- // Allow the controller manager to assign a CIDR to a node if it doesn't have one. -- //this is a no op for a string slice. -- oldNode.Spec.PodCIDRs = node.Spec.PodCIDRs -- } else { -+ // Allow the controller manager to assign a CIDR to a node if it doesn't have one. -+ if len(oldNode.Spec.PodCIDRs) > 0 { - // compare the entire slice - if len(oldNode.Spec.PodCIDRs) != len(node.Spec.PodCIDRs) { - allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "podCIDRs"), "node updates may not change podCIDR except from \"\" to valid")) -@@ -4772,46 +4768,35 @@ func ValidateNodeUpdate(node, oldNode *core.Node) field.ErrorList { - } - - // Allow controller manager updating provider ID when not set -- if len(oldNode.Spec.ProviderID) == 0 { -- oldNode.Spec.ProviderID = node.Spec.ProviderID -- } else { -- if oldNode.Spec.ProviderID != node.Spec.ProviderID { -- allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "providerID"), "node updates may not change providerID except from \"\" to valid")) -- } -+ if len(oldNode.Spec.ProviderID) > 0 && oldNode.Spec.ProviderID != node.Spec.ProviderID { -+ allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "providerID"), "node updates may not change providerID except from \"\" to valid")) - } - - if node.Spec.ConfigSource != nil { - allErrs = append(allErrs, validateNodeConfigSourceSpec(node.Spec.ConfigSource, field.NewPath("spec", "configSource"))...) - } -- oldNode.Spec.ConfigSource = node.Spec.ConfigSource - if node.Status.Config != nil { - allErrs = append(allErrs, validateNodeConfigStatus(node.Status.Config, field.NewPath("status", "config"))...) - } -- oldNode.Status.Config = node.Status.Config -- -- // TODO: move reset function to its own location -- // Ignore metadata changes now that they have been tested -- oldNode.ObjectMeta = node.ObjectMeta -- // Allow users to update capacity -- oldNode.Status.Capacity = node.Status.Capacity -- // Allow users to unschedule node -- oldNode.Spec.Unschedulable = node.Spec.Unschedulable -- // Clear status -- oldNode.Status = node.Status - - // update taints - if len(node.Spec.Taints) > 0 { - allErrs = append(allErrs, validateNodeTaints(node.Spec.Taints, fldPath.Child("taints"))...) - } -- oldNode.Spec.Taints = node.Spec.Taints - -- // We made allowed changes to oldNode, and now we compare oldNode to node. Any remaining differences indicate changes to protected fields. -- // TODO: Add a 'real' error type for this error and provide print actual diffs. -- if !apiequality.Semantic.DeepEqual(oldNode, node) { -- klog.V(4).Infof("Update failed validation %#v vs %#v", oldNode, node) -- allErrs = append(allErrs, field.Forbidden(field.NewPath(""), "node updates may only change labels, taints, or capacity (or configSource, if the DynamicKubeletConfig feature gate is enabled)")) -+ if node.Spec.DoNotUseExternalID != oldNode.Spec.DoNotUseExternalID { -+ allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "externalID"), "may not be updated")) - } - -+ // status and metadata are allowed change (barring restrictions above), so separately test spec field. -+ // spec only has a few fields, so check the ones we don't allow changing -+ // 1. PodCIDRs - immutable after first set - checked above -+ // 2. ProviderID - immutable after first set - checked above -+ // 3. Unschedulable - allowed to change -+ // 4. Taints - allowed to change -+ // 5. ConfigSource - allowed to change (and checked above) -+ // 6. DoNotUseExternalID - immutable - checked above -+ - return allErrs - } - -@@ -5224,10 +5209,6 @@ func ValidateSecret(secret *core.Secret) field.ErrorList { - func ValidateSecretUpdate(newSecret, oldSecret *core.Secret) field.ErrorList { - allErrs := ValidateObjectMetaUpdate(&newSecret.ObjectMeta, &oldSecret.ObjectMeta, field.NewPath("metadata")) - -- if len(newSecret.Type) == 0 { -- newSecret.Type = oldSecret.Type -- } -- - allErrs = append(allErrs, ValidateImmutableField(newSecret.Type, oldSecret.Type, field.NewPath("type"))...) - if oldSecret.Immutable != nil && *oldSecret.Immutable { - if newSecret.Immutable == nil || !*newSecret.Immutable { -@@ -5527,7 +5508,6 @@ func ValidateResourceQuantityValue(resource string, value resource.Quantity, fld - } - - // ValidateResourceQuotaUpdate tests to see if the update is legal for an end user to make. --// newResourceQuota is updated with fields that cannot be changed. - func ValidateResourceQuotaUpdate(newResourceQuota, oldResourceQuota *core.ResourceQuota) field.ErrorList { - allErrs := ValidateObjectMetaUpdate(&newResourceQuota.ObjectMeta, &oldResourceQuota.ObjectMeta, field.NewPath("metadata")) - allErrs = append(allErrs, ValidateResourceQuotaSpec(&newResourceQuota.Spec, field.NewPath("spec"))...) -@@ -5546,12 +5526,10 @@ func ValidateResourceQuotaUpdate(newResourceQuota, oldResourceQuota *core.Resour - allErrs = append(allErrs, field.Invalid(fldPath, newResourceQuota.Spec.Scopes, fieldImmutableErrorMsg)) - } - -- newResourceQuota.Status = oldResourceQuota.Status - return allErrs - } - - // ValidateResourceQuotaStatusUpdate tests to see if the status update is legal for an end user to make. --// newResourceQuota is updated with fields that cannot be changed. - func ValidateResourceQuotaStatusUpdate(newResourceQuota, oldResourceQuota *core.ResourceQuota) field.ErrorList { - allErrs := ValidateObjectMetaUpdate(&newResourceQuota.ObjectMeta, &oldResourceQuota.ObjectMeta, field.NewPath("metadata")) - if len(newResourceQuota.ResourceVersion) == 0 { -@@ -5569,7 +5547,6 @@ func ValidateResourceQuotaStatusUpdate(newResourceQuota, oldResourceQuota *core. - allErrs = append(allErrs, ValidateResourceQuotaResourceName(string(k), resPath)...) - allErrs = append(allErrs, ValidateResourceQuantityValue(string(k), v, resPath)...) - } -- newResourceQuota.Spec = oldResourceQuota.Spec - return allErrs - } - -@@ -5602,19 +5579,14 @@ func validateKubeFinalizerName(stringValue string, fldPath *field.Path) field.Er - } - - // ValidateNamespaceUpdate tests to make sure a namespace update can be applied. --// newNamespace is updated with fields that cannot be changed - func ValidateNamespaceUpdate(newNamespace *core.Namespace, oldNamespace *core.Namespace) field.ErrorList { - allErrs := ValidateObjectMetaUpdate(&newNamespace.ObjectMeta, &oldNamespace.ObjectMeta, field.NewPath("metadata")) -- newNamespace.Spec.Finalizers = oldNamespace.Spec.Finalizers -- newNamespace.Status = oldNamespace.Status - return allErrs - } - --// ValidateNamespaceStatusUpdate tests to see if the update is legal for an end user to make. newNamespace is updated with fields --// that cannot be changed. -+// ValidateNamespaceStatusUpdate tests to see if the update is legal for an end user to make. - func ValidateNamespaceStatusUpdate(newNamespace, oldNamespace *core.Namespace) field.ErrorList { - allErrs := ValidateObjectMetaUpdate(&newNamespace.ObjectMeta, &oldNamespace.ObjectMeta, field.NewPath("metadata")) -- newNamespace.Spec = oldNamespace.Spec - if newNamespace.DeletionTimestamp.IsZero() { - if newNamespace.Status.Phase != core.NamespaceActive { - allErrs = append(allErrs, field.Invalid(field.NewPath("status", "Phase"), newNamespace.Status.Phase, "may only be 'Active' if `deletionTimestamp` is empty")) -@@ -5628,7 +5600,6 @@ func ValidateNamespaceStatusUpdate(newNamespace, oldNamespace *core.Namespace) f - } - - // ValidateNamespaceFinalizeUpdate tests to see if the update is legal for an end user to make. --// newNamespace is updated with fields that cannot be changed. - func ValidateNamespaceFinalizeUpdate(newNamespace, oldNamespace *core.Namespace) field.ErrorList { - allErrs := ValidateObjectMetaUpdate(&newNamespace.ObjectMeta, &oldNamespace.ObjectMeta, field.NewPath("metadata")) - -@@ -5637,7 +5608,6 @@ func ValidateNamespaceFinalizeUpdate(newNamespace, oldNamespace *core.Namespace) - idxPath := fldPath.Index(i) - allErrs = append(allErrs, validateFinalizerName(string(newNamespace.Spec.Finalizers[i]), idxPath)...) - } -- newNamespace.Status = oldNamespace.Status - return allErrs - } - -diff --git a/pkg/registry/core/secret/strategy.go b/pkg/registry/core/secret/strategy.go -index 0d5908d..aad0038 100644 ---- a/pkg/registry/core/secret/strategy.go -+++ b/pkg/registry/core/secret/strategy.go -@@ -73,6 +73,12 @@ func (strategy) AllowCreateOnUpdate() bool { - func (strategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) { - newSecret := obj.(*api.Secret) - oldSecret := old.(*api.Secret) -+ -+ // this is weird, but consistent with what the validatedUpdate function used to do. -+ if len(newSecret.Type) == 0 { -+ newSecret.Type = oldSecret.Type -+ } -+ - dropDisabledFields(newSecret, oldSecret) - } - -diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go -index e25dd1e..32ae5e9 100644 ---- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go -+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go -@@ -1409,7 +1409,7 @@ func validateAPIApproval(newCRD, oldCRD *apiextensions.CustomResourceDefinition, - var oldApprovalState *apihelpers.APIApprovalState - if oldCRD != nil { - t, _ := apihelpers.GetAPIApprovalState(oldCRD.Annotations) -- oldApprovalState = &t -+ oldApprovalState = &t // +k8s:verify-mutation:reason=clone - } - newApprovalState, reason := apihelpers.GetAPIApprovalState(newCRD.Annotations) - diff --git a/0009-timeout-wait-backend-to-frontend-complete.patch b/0003-timeout-wait-backend-to-frontend-complete.patch similarity index 86% rename from 0009-timeout-wait-backend-to-frontend-complete.patch rename to 0003-timeout-wait-backend-to-frontend-complete.patch index 0338bb4..5bb8ae1 100644 --- a/0009-timeout-wait-backend-to-frontend-complete.patch +++ b/0003-timeout-wait-backend-to-frontend-complete.patch @@ -1,7 +1,7 @@ -From dda1aed8f9655c9cac813a3633b27bacdce9af88 Mon Sep 17 00:00:00 2001 +From 61834dbb52cc71a7e511f5b9af11b9799391ef1a Mon Sep 17 00:00:00 2001 From: zhangxiaoyu Date: Tue, 1 Nov 2022 15:34:16 +0800 -Subject: [PATCH] timeout wait backend to frontend complete +Subject: timeout wait backend to frontend complete Signed-off-by: zhangxiaoyu --- @@ -9,7 +9,7 @@ Signed-off-by: zhangxiaoyu 1 file changed, 6 insertions(+) diff --git a/pkg/kubelet/cri/streaming/remotecommand/proxy.go b/pkg/kubelet/cri/streaming/remotecommand/proxy.go -index f21629af..c14ea8dd 100644 +index f21629af..296c6122 100644 --- a/pkg/kubelet/cri/streaming/remotecommand/proxy.go +++ b/pkg/kubelet/cri/streaming/remotecommand/proxy.go @@ -129,6 +129,12 @@ func ProxyToWebSocket(w http.ResponseWriter, r *http.Request, url *url.URL, opts diff --git a/0007-Add-an-option-for-aggregator.patch b/0004-Add-an-option-for-aggregator.patch similarity index 82% rename from 0007-Add-an-option-for-aggregator.patch rename to 0004-Add-an-option-for-aggregator.patch index 832bb94..01e1bbb 100644 --- a/0007-Add-an-option-for-aggregator.patch +++ b/0004-Add-an-option-for-aggregator.patch @@ -1,23 +1,23 @@ -From 1f72d5d61330dd6b4f1241b96ad44aab5131f7fe Mon Sep 17 00:00:00 2001 +From 978dcb825f2808bd298bfbc6e9c91b1fd7859ba3 Mon Sep 17 00:00:00 2001 From: Di Jin Date: Thu, 1 Sep 2022 15:25:26 -0700 -Subject: [PATCH] Add an option for aggregator +Subject: Add an option for aggregator --- cmd/kube-apiserver/app/aggregator.go | 9 ++- cmd/kube-apiserver/app/options/options.go | 9 ++- - .../app/options/options_test.go | 17 ++-- + .../app/options/options_test.go | 5 +- .../pkg/util/proxy/upgradeaware.go | 27 +++++++ .../pkg/util/proxy/upgradeaware_test.go | 77 +++++++++++++++++++ .../pkg/apiserver/apiserver.go | 7 ++ .../pkg/apiserver/handler_proxy.go | 6 ++ - 7 files changed, 138 insertions(+), 14 deletions(-) + 7 files changed, 132 insertions(+), 8 deletions(-) diff --git a/cmd/kube-apiserver/app/aggregator.go b/cmd/kube-apiserver/app/aggregator.go -index 4289ce48..1ac17065 100644 +index 2466dcc2..9cf23362 100644 --- a/cmd/kube-apiserver/app/aggregator.go +++ b/cmd/kube-apiserver/app/aggregator.go -@@ -109,10 +109,11 @@ func createAggregatorConfig( +@@ -111,10 +111,11 @@ func createAggregatorConfig( SharedInformerFactory: externalInformers, }, ExtraConfig: aggregatorapiserver.ExtraConfig{ @@ -34,10 +34,10 @@ index 4289ce48..1ac17065 100644 } diff --git a/cmd/kube-apiserver/app/options/options.go b/cmd/kube-apiserver/app/options/options.go -index 68a714bf..653179fd 100644 +index 9672b187..794d0d9f 100644 --- a/cmd/kube-apiserver/app/options/options.go +++ b/cmd/kube-apiserver/app/options/options.go -@@ -79,7 +79,8 @@ type ServerRunOptions struct { +@@ -75,7 +75,8 @@ type ServerRunOptions struct { ProxyClientCertFile string ProxyClientKeyFile string @@ -47,7 +47,7 @@ index 68a714bf..653179fd 100644 MasterCount int EndpointReconcilerType string -@@ -134,7 +135,8 @@ func NewServerRunOptions() *ServerRunOptions { +@@ -131,7 +132,8 @@ func NewServerRunOptions() *ServerRunOptions { }, HTTPTimeout: time.Duration(5) * time.Second, }, @@ -57,7 +57,7 @@ index 68a714bf..653179fd 100644 } // Overwrite the default for storage data format. -@@ -280,6 +282,9 @@ func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) { +@@ -243,6 +245,9 @@ func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) { fs.BoolVar(&s.EnableAggregatorRouting, "enable-aggregator-routing", s.EnableAggregatorRouting, "Turns on aggregator routing requests to endpoints IP rather than cluster IP.") @@ -68,27 +68,15 @@ index 68a714bf..653179fd 100644 "Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key.") diff --git a/cmd/kube-apiserver/app/options/options_test.go b/cmd/kube-apiserver/app/options/options_test.go -index 8ad927bb..1f188590 100644 +index 26eb6a95..90e1f045 100644 --- a/cmd/kube-apiserver/app/options/options_test.go +++ b/cmd/kube-apiserver/app/options/options_test.go -@@ -299,14 +299,15 @@ func TestAddFlags(t *testing.T) { - EgressSelector: &apiserveroptions.EgressSelectorOptions{ - ConfigFile: "/var/run/kubernetes/egress-selector/connectivity.yaml", +@@ -315,8 +315,9 @@ func TestAddFlags(t *testing.T) { + Traces: &apiserveroptions.TracingOptions{ + ConfigFile: "/var/run/kubernetes/tracing_config.yaml", }, -- EnableLogsHandler: false, -- EnableAggregatorRouting: true, -- ProxyClientKeyFile: "/var/run/kubernetes/proxy.key", -- ProxyClientCertFile: "/var/run/kubernetes/proxy.crt", -- Metrics: &metrics.Options{}, -- Logs: logs.NewOptions(), - IdentityLeaseDurationSeconds: 3600, - IdentityLeaseRenewIntervalSeconds: 10, -+ EnableLogsHandler: false, -+ EnableAggregatorRouting: true, -+ ProxyClientKeyFile: "/var/run/kubernetes/proxy.key", -+ ProxyClientCertFile: "/var/run/kubernetes/proxy.crt", -+ Metrics: &metrics.Options{}, -+ Logs: logs.NewOptions(), + IdentityLeaseDurationSeconds: 3600, + IdentityLeaseRenewIntervalSeconds: 10, + AggregatorRejectForwardingRedirects: true, @@ -96,10 +84,10 @@ index 8ad927bb..1f188590 100644 if !reflect.DeepEqual(expected, s) { diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go -index 43f528d9..4ed108e9 100644 +index f56c17ca..a3a14241 100644 --- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go +++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go -@@ -80,6 +80,8 @@ type UpgradeAwareHandler struct { +@@ -83,6 +83,8 @@ type UpgradeAwareHandler struct { MaxBytesPerSec int64 // Responder is passed errors that occur while setting up proxying. Responder ErrorResponder @@ -108,7 +96,7 @@ index 43f528d9..4ed108e9 100644 } const defaultFlushInterval = 200 * time.Millisecond -@@ -232,6 +234,31 @@ func (h *UpgradeAwareHandler) ServeHTTP(w http.ResponseWriter, req *http.Request +@@ -257,6 +259,31 @@ func (h *UpgradeAwareHandler) ServeHTTP(w http.ResponseWriter, req *http.Request proxy.Transport = h.Transport proxy.FlushInterval = h.FlushInterval proxy.ErrorLog = log.New(noSuppressPanicError{}, "", log.LstdFlags) @@ -141,10 +129,10 @@ index 43f528d9..4ed108e9 100644 // if an optional error interceptor/responder was provided wire it // the custom responder might be used for providing a unified error reporting diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go -index 3f2d41f9..33051ffa 100644 +index f57b69a0..0d77fb11 100644 --- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go +++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go -@@ -663,6 +663,83 @@ func TestProxyUpgradeErrorResponse(t *testing.T) { +@@ -704,6 +704,83 @@ func TestProxyUpgradeErrorResponse(t *testing.T) { } } @@ -229,10 +217,10 @@ index 3f2d41f9..33051ffa 100644 tests := []struct { name, diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go -index d0ab3186..50a85820 100644 +index e945fb48..133887e1 100644 --- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go -@@ -80,6 +80,8 @@ type ExtraConfig struct { +@@ -87,6 +87,8 @@ type ExtraConfig struct { // Mechanism by which the Aggregator will resolve services. Required. ServiceResolver ServiceResolver @@ -241,7 +229,7 @@ index d0ab3186..50a85820 100644 } // Config represents the configuration needed to create an APIAggregator. -@@ -143,6 +145,9 @@ type APIAggregator struct { +@@ -156,6 +158,9 @@ type APIAggregator struct { // egressSelector selects the proper egress dialer to communicate with the custom apiserver // overwrites proxyTransport dialer if not nil egressSelector *egressselector.EgressSelector @@ -251,15 +239,15 @@ index d0ab3186..50a85820 100644 } // Complete fills in any fields not set that are required to have valid data. It's mutating the receiver. -@@ -194,6 +199,7 @@ func (c completedConfig) NewWithDelegate(delegationTarget genericapiserver.Deleg - openAPIConfig: openAPIConfig, +@@ -213,6 +218,7 @@ func (c completedConfig) NewWithDelegate(delegationTarget genericapiserver.Deleg + openAPIV3Config: c.GenericConfig.OpenAPIV3Config, egressSelector: c.GenericConfig.EgressSelector, proxyCurrentCertKeyContent: func() (bytes []byte, bytes2 []byte) { return nil, nil }, + rejectForwardingRedirects: c.ExtraConfig.RejectForwardingRedirects, } - apiGroupInfo := apiservicerest.NewRESTStorage(c.GenericConfig.MergedResourceConfig, c.GenericConfig.RESTOptionsGetter) -@@ -384,6 +390,7 @@ func (s *APIAggregator) AddAPIService(apiService *v1.APIService) error { + // used later to filter the served resource by those that have expired. +@@ -443,6 +449,7 @@ func (s *APIAggregator) AddAPIService(apiService *v1.APIService) error { proxyTransport: s.proxyTransport, serviceResolver: s.serviceResolver, egressSelector: s.egressSelector, @@ -268,7 +256,7 @@ index d0ab3186..50a85820 100644 proxyHandler.updateAPIService(apiService) if s.openAPIAggregationController != nil { diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go -index e09f0d1a..a4257420 100644 +index 3a880b6b..e1282f2a 100644 --- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go +++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go @@ -68,6 +68,9 @@ type proxyHandler struct { @@ -281,16 +269,16 @@ index e09f0d1a..a4257420 100644 } type proxyHandlingInfo struct { -@@ -176,6 +179,9 @@ func (r *proxyHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) { +@@ -172,6 +175,9 @@ func (r *proxyHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) { } handler := proxy.NewUpgradeAwareHandler(location, proxyRoundTripper, true, upgrade, &responder{w: w}) + if r.rejectForwardingRedirects { + handler.RejectForwardingRedirects = true + } + utilflowcontrol.RequestDelegated(req.Context()) handler.ServeHTTP(w, newReq) } - -- 2.25.1 diff --git a/0004-fix-CVE-2021-25737.patch b/0004-fix-CVE-2021-25737.patch deleted file mode 100644 index 73a1aba..0000000 --- a/0004-fix-CVE-2021-25737.patch +++ /dev/null @@ -1,209 +0,0 @@ -From 9d22c94b7171a9a6ce0d167f6cb25abce2079941 Mon Sep 17 00:00:00 2001 -From: Rob Scott -Date: Fri, 9 Apr 2021 15:24:17 -0700 -Subject: [PATCH] Updating EndpointSlice validation to match Endpoints - validation - -(cherry picked from commit dd95bba6cd1dfec0985d3e1068c12713597cbe4a) ---- - pkg/apis/core/validation/validation.go | 18 +++++---- - pkg/apis/core/validation/validation_test.go | 40 +++++++++++++++++++ - pkg/apis/discovery/validation/validation.go | 2 + - pkg/apis/discovery/validation/validation_test.go | 51 ++++++++++++++++++++++-- - 4 files changed, 101 insertions(+), 10 deletions(-) - -diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go -index af58e0e..d5e9037 100644 ---- a/pkg/apis/core/validation/validation.go -+++ b/pkg/apis/core/validation/validation.go -@@ -4238,7 +4238,7 @@ func ValidateService(service *core.Service) field.ErrorList { - allErrs = append(allErrs, field.Invalid(idxPath, ip, msgs[i])) - } - } else { -- allErrs = append(allErrs, validateNonSpecialIP(ip, idxPath)...) -+ allErrs = append(allErrs, ValidateNonSpecialIP(ip, idxPath)...) - } - } - -@@ -5673,15 +5673,19 @@ func validateEndpointAddress(address *core.EndpointAddress, fldPath *field.Path) - allErrs = append(allErrs, field.Invalid(fldPath.Child("nodeName"), *address.NodeName, msg)) - } - } -- allErrs = append(allErrs, validateNonSpecialIP(address.IP, fldPath.Child("ip"))...) -+ allErrs = append(allErrs, ValidateNonSpecialIP(address.IP, fldPath.Child("ip"))...) - return allErrs - } - --func validateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList { -- // We disallow some IPs as endpoints or external-ips. Specifically, -- // unspecified and loopback addresses are nonsensical and link-local -- // addresses tend to be used for node-centric purposes (e.g. metadata -- // service). -+// ValidateNonSpecialIP is used to validate Endpoints, EndpointSlices, and -+// external IPs. Specifically, this disallows unspecified and loopback addresses -+// are nonsensical and link-local addresses tend to be used for node-centric -+// purposes (e.g. metadata service). -+// -+// IPv6 references -+// - https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml -+// - https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml -+func ValidateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList { - allErrs := field.ErrorList{} - ip := net.ParseIP(ipAddress) - if ip == nil { -diff --git a/pkg/apis/core/validation/validation_test.go b/pkg/apis/core/validation/validation_test.go -index bfdb523..f379cd4 100644 ---- a/pkg/apis/core/validation/validation_test.go -+++ b/pkg/apis/core/validation/validation_test.go -@@ -16915,3 +16915,43 @@ func TestValidatePodTemplateSpecSeccomp(t *testing.T) { - asserttestify.Equal(t, test.expectedErr, err, "TestCase[%d]: %s", i, test.description) - } - } -+ -+func TestValidateNonSpecialIP(t *testing.T) { -+ fp := field.NewPath("ip") -+ -+ // Valid values. -+ for _, tc := range []struct { -+ desc string -+ ip string -+ }{ -+ {"ipv4", "10.1.2.3"}, -+ {"ipv6", "2000::1"}, -+ } { -+ t.Run(tc.desc, func(t *testing.T) { -+ errs := ValidateNonSpecialIP(tc.ip, fp) -+ if len(errs) != 0 { -+ t.Errorf("ValidateNonSpecialIP(%q, ...) = %v; want nil", tc.ip, errs) -+ } -+ }) -+ } -+ // Invalid cases -+ for _, tc := range []struct { -+ desc string -+ ip string -+ }{ -+ {"ipv4 unspecified", "0.0.0.0"}, -+ {"ipv6 unspecified", "::0"}, -+ {"ipv4 localhost", "127.0.0.0"}, -+ {"ipv4 localhost", "127.255.255.255"}, -+ {"ipv6 localhost", "::1"}, -+ {"ipv6 link local", "fe80::"}, -+ {"ipv6 local multicast", "ff02::"}, -+ } { -+ t.Run(tc.desc, func(t *testing.T) { -+ errs := ValidateNonSpecialIP(tc.ip, fp) -+ if len(errs) == 0 { -+ t.Errorf("ValidateNonSpecialIP(%q, ...) = nil; want non-nil (errors)", tc.ip) -+ } -+ }) -+ } -+} -diff --git a/pkg/apis/discovery/validation/validation.go b/pkg/apis/discovery/validation/validation.go -index 8499e7a..d1fa4c8 100644 ---- a/pkg/apis/discovery/validation/validation.go -+++ b/pkg/apis/discovery/validation/validation.go -@@ -96,8 +96,10 @@ func validateEndpoints(endpoints []discovery.Endpoint, addrType discovery.Addres - switch addrType { - case discovery.AddressTypeIPv4: - allErrs = append(allErrs, validation.IsValidIPv4Address(addressPath.Index(i), address)...) -+ allErrs = append(allErrs, apivalidation.ValidateNonSpecialIP(address, addressPath.Index(i))...) - case discovery.AddressTypeIPv6: - allErrs = append(allErrs, validation.IsValidIPv6Address(addressPath.Index(i), address)...) -+ allErrs = append(allErrs, apivalidation.ValidateNonSpecialIP(address, addressPath.Index(i))...) - case discovery.AddressTypeFQDN: - allErrs = append(allErrs, validation.IsFullyQualifiedDomainName(addressPath.Index(i), address)...) - } -diff --git a/pkg/apis/discovery/validation/validation_test.go b/pkg/apis/discovery/validation/validation_test.go -index 5c7d478..0d944b5 100644 ---- a/pkg/apis/discovery/validation/validation_test.go -+++ b/pkg/apis/discovery/validation/validation_test.go -@@ -52,6 +52,21 @@ func TestValidateEndpointSlice(t *testing.T) { - }}, - }, - }, -+ "good-ipv6": { -+ expectedErrors: 0, -+ endpointSlice: &discovery.EndpointSlice{ -+ ObjectMeta: standardMeta, -+ AddressType: discovery.AddressTypeIPv6, -+ Ports: []discovery.EndpointPort{{ -+ Name: utilpointer.StringPtr("http"), -+ Protocol: protocolPtr(api.ProtocolTCP), -+ }}, -+ Endpoints: []discovery.Endpoint{{ -+ Addresses: []string{"a00:100::4"}, -+ Hostname: utilpointer.StringPtr("valid-123"), -+ }}, -+ }, -+ }, - "good-fqdns": { - expectedErrors: 0, - endpointSlice: &discovery.EndpointSlice{ -@@ -375,7 +390,7 @@ func TestValidateEndpointSlice(t *testing.T) { - }, - }, - "bad-ip": { -- expectedErrors: 1, -+ expectedErrors: 2, - endpointSlice: &discovery.EndpointSlice{ - ObjectMeta: standardMeta, - AddressType: discovery.AddressTypeIPv4, -@@ -390,7 +405,7 @@ func TestValidateEndpointSlice(t *testing.T) { - }, - }, - "bad-ipv4": { -- expectedErrors: 2, -+ expectedErrors: 3, - endpointSlice: &discovery.EndpointSlice{ - ObjectMeta: standardMeta, - AddressType: discovery.AddressTypeIPv4, -@@ -405,7 +420,7 @@ func TestValidateEndpointSlice(t *testing.T) { - }, - }, - "bad-ipv6": { -- expectedErrors: 2, -+ expectedErrors: 4, - endpointSlice: &discovery.EndpointSlice{ - ObjectMeta: standardMeta, - AddressType: discovery.AddressTypeIPv6, -@@ -454,6 +469,36 @@ func TestValidateEndpointSlice(t *testing.T) { - expectedErrors: 3, - endpointSlice: &discovery.EndpointSlice{}, - }, -+ "special-ipv4": { -+ expectedErrors: 1, -+ endpointSlice: &discovery.EndpointSlice{ -+ ObjectMeta: standardMeta, -+ AddressType: discovery.AddressTypeIPv4, -+ Ports: []discovery.EndpointPort{{ -+ Name: utilpointer.StringPtr("http"), -+ Protocol: protocolPtr(api.ProtocolTCP), -+ }}, -+ Endpoints: []discovery.Endpoint{{ -+ Addresses: []string{"127.0.0.1"}, -+ Hostname: utilpointer.StringPtr("valid-123"), -+ }}, -+ }, -+ }, -+ "special-ipv6": { -+ expectedErrors: 1, -+ endpointSlice: &discovery.EndpointSlice{ -+ ObjectMeta: standardMeta, -+ AddressType: discovery.AddressTypeIPv6, -+ Ports: []discovery.EndpointPort{{ -+ Name: utilpointer.StringPtr("http"), -+ Protocol: protocolPtr(api.ProtocolTCP), -+ }}, -+ Endpoints: []discovery.Endpoint{{ -+ Addresses: []string{"fe80::9656:d028:8652:66b6"}, -+ Hostname: utilpointer.StringPtr("valid-123"), -+ }}, -+ }, -+ }, - } - - for name, testCase := range testCases { --- -1.8.3.1 - diff --git a/0010-Escape-terminal-special-characters-in-kubectl-112553.patch b/0005-Escape-terminal-special-characters-in-kubectl-112553.patch similarity index 75% rename from 0010-Escape-terminal-special-characters-in-kubectl-112553.patch rename to 0005-Escape-terminal-special-characters-in-kubectl-112553.patch index a1b95e6..ee9b1ec 100644 --- a/0010-Escape-terminal-special-characters-in-kubectl-112553.patch +++ b/0005-Escape-terminal-special-characters-in-kubectl-112553.patch @@ -1,53 +1,75 @@ -From a2f7a90f4a71d3eaef19521baa99f27981d7554e Mon Sep 17 00:00:00 2001 -From: zhangxiaoyu -Date: Mon, 28 Nov 2022 10:56:01 +0800 -Subject: [PATCH] Escape terminal special characters in kubectl (#112553) +From ffa3e2336c5f4078c84f8c719c48673c7e5f7290 Mon Sep 17 00:00:00 2001 +From: David Leadbeater +Date: Mon, 31 Oct 2022 01:08:43 +1000 +Subject: Escape terminal special characters in kubectl (#112553) * Escape terminal special characters in kubectl * Add escaping for kubectl alpha events - -Signed-off-by: David Leadbeater --- - .../cli-runtime/pkg/printers/tableprinter.go | 19 ++++++++- + .../cli-runtime/pkg/printers/tableprinter.go | 13 ++++--- + .../pkg/printers/tableprinter_test.go | 12 ++++++ .../cli-runtime/pkg/printers/terminal.go | 39 +++++++++++++++++++ .../kubectl/pkg/cmd/get/customcolumn.go | 2 +- .../kubectl/pkg/cmd/get/customcolumn_test.go | 16 ++++++++ .../k8s.io/kubectl/pkg/describe/describe.go | 7 +++- .../kubectl/pkg/describe/describe_test.go | 19 +++++++++ - 6 files changed, 98 insertions(+), 4 deletions(-) + 7 files changed, 99 insertions(+), 9 deletions(-) create mode 100644 staging/src/k8s.io/cli-runtime/pkg/printers/terminal.go diff --git a/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter.go b/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter.go -index 56bd05aa..c6bab0ee 100644 +index 87bc3f41..54859665 100644 --- a/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter.go +++ b/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter.go -@@ -209,7 +209,24 @@ func printTable(table *metav1.Table, output io.Writer, options PrintOptions) err - fmt.Fprint(output, "\t") - } - if cell != nil { -- fmt.Fprint(output, cell) -+ switch val := cell.(type) { -+ case string: -+ print := val -+ truncated := false +@@ -212,18 +212,19 @@ func printTable(table *metav1.Table, output io.Writer, options PrintOptions) err + case string: + print := val + truncated := false +- // truncate at newlines +- newline := strings.Index(print, "\n") +- if newline >= 0 { + // Truncate at the first newline, carriage return or formfeed + // (treated as a newline by tabwriter). + breakchar := strings.IndexAny(print, "\f\n\r") + if breakchar >= 0 { -+ truncated = true + truncated = true +- print = print[:newline] + print = print[:breakchar] -+ } + } +- fmt.Fprint(output, print) + WriteEscaped(output, print) -+ if truncated { -+ fmt.Fprint(output, "...") -+ } -+ default: + if truncated { + fmt.Fprint(output, "...") + } + default: +- fmt.Fprint(output, val) + WriteEscaped(output, fmt.Sprint(val)) -+ } + } } } - fmt.Fprintln(output) +diff --git a/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter_test.go b/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter_test.go +index b2caaa12..edbff3ff 100644 +--- a/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter_test.go ++++ b/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter_test.go +@@ -769,6 +769,18 @@ test1 20h This is first line which is long and goes for on and on and on an + }, + expected: `NAME AGE DESCRIPTION + test1 20h This is first... ++`, ++ }, ++ // terminal special character, should be escaped ++ { ++ columns: []metav1.TableColumnDefinition{ ++ {Name: "Name", Type: "string"}, ++ }, ++ rows: []metav1.TableRow{ ++ {Cells: []interface{}{"test1\x1b"}}, ++ }, ++ expected: `NAME ++test1^[ + `, + }, + } diff --git a/staging/src/k8s.io/cli-runtime/pkg/printers/terminal.go b/staging/src/k8s.io/cli-runtime/pkg/printers/terminal.go new file mode 100644 index 00000000..5a59491e @@ -134,18 +156,18 @@ index e4fb17a8..de403142 100644 }, } diff --git a/staging/src/k8s.io/kubectl/pkg/describe/describe.go b/staging/src/k8s.io/kubectl/pkg/describe/describe.go -index ba59c191..35253c87 100644 +index 2a8bf9cc..ef8070f1 100644 --- a/staging/src/k8s.io/kubectl/pkg/describe/describe.go +++ b/staging/src/k8s.io/kubectl/pkg/describe/describe.go -@@ -62,6 +62,7 @@ import ( +@@ -65,6 +65,7 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/cli-runtime/pkg/genericclioptions" + "k8s.io/cli-runtime/pkg/printers" + runtimeresource "k8s.io/cli-runtime/pkg/resource" "k8s.io/client-go/dynamic" clientset "k8s.io/client-go/kubernetes" - corev1client "k8s.io/client-go/kubernetes/typed/core/v1" -@@ -143,11 +144,13 @@ func (pw *prefixWriter) Write(level int, format string, a ...interface{}) { +@@ -148,11 +149,13 @@ func (pw *prefixWriter) Write(level int, format string, a ...interface{}) { for i := 0; i < level; i++ { prefix += levelSpace } @@ -162,10 +184,10 @@ index ba59c191..35253c87 100644 func (pw *prefixWriter) Flush() { diff --git a/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go b/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go -index 3ef9afdc..b3f31579 100644 +index 7314feb2..5d8f1a0b 100644 --- a/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go +++ b/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go -@@ -4459,3 +4459,22 @@ func TestControllerRef(t *testing.T) { +@@ -5322,3 +5322,22 @@ func TestControllerRef(t *testing.T) { t.Errorf("unexpected out: %s", out) } } diff --git a/0005-fix-CVE-2021-25741.patch b/0005-fix-CVE-2021-25741.patch deleted file mode 100644 index e51dc31..0000000 --- a/0005-fix-CVE-2021-25741.patch +++ /dev/null @@ -1,168 +0,0 @@ -From e604f40bcc61048b69654a4f4daa593f6adf7ade Mon Sep 17 00:00:00 2001 -From: Mauricio Poppe -Date: Thu, 5 Aug 2021 22:31:38 +0000 -Subject: [PATCH] Pass additional flags to subpath mount to avoid flakes in - certain conditions - -(cherry picked from commit 8995693db5824a50249760f6b8e686cc1a500bad) -Signed-off-by: leizhongkai ---- - pkg/volume/util/subpath/subpath_linux.go | 3 ++- - staging/src/k8s.io/mount-utils/fake_mounter.go | 4 ++++ - staging/src/k8s.io/mount-utils/mount.go | 2 ++ - staging/src/k8s.io/mount-utils/mount_linux.go | 31 ++++++++++++++++--------- - staging/src/k8s.io/mount-utils/mount_windows.go | 6 +++++ - 5 files changed, 34 insertions(+), 12 deletions(-) - -diff --git a/pkg/volume/util/subpath/subpath_linux.go b/pkg/volume/util/subpath/subpath_linux.go -index c04f0a7..0588f3a 100644 ---- a/pkg/volume/util/subpath/subpath_linux.go -+++ b/pkg/volume/util/subpath/subpath_linux.go -@@ -209,8 +209,9 @@ func doBindSubPath(mounter mount.Interface, subpath Subpath) (hostPath string, e - - // Do the bind mount - options := []string{"bind"} -+ mountFlags := []string{"--no-canonicalize"} - klog.V(5).Infof("bind mounting %q at %q", mountSource, bindPathTarget) -- if err = mounter.MountSensitiveWithoutSystemd(mountSource, bindPathTarget, "" /*fstype*/, options, nil); err != nil { -+ if err = mounter.MountSensitiveWithoutSystemdWithMountFlags(mountSource, bindPathTarget, "" /*fstype*/, options, nil /* sensitiveOptions */, mountFlags); err != nil { - return "", fmt.Errorf("error mounting %s: %s", subpath.Path, err) - } - success = true -diff --git a/staging/src/k8s.io/mount-utils/fake_mounter.go b/staging/src/k8s.io/mount-utils/fake_mounter.go -index 393ed04..55ea5e2 100644 ---- a/staging/src/k8s.io/mount-utils/fake_mounter.go -+++ b/staging/src/k8s.io/mount-utils/fake_mounter.go -@@ -136,6 +136,10 @@ func (f *FakeMounter) MountSensitiveWithoutSystemd(source string, target string, - return f.MountSensitive(source, target, fstype, options, nil /* sensitiveOptions */) - } - -+func (f *FakeMounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error { -+ return f.MountSensitive(source, target, fstype, options, nil /* sensitiveOptions */) -+} -+ - // Unmount records the unmount event and updates the in-memory mount points for FakeMounter - func (f *FakeMounter) Unmount(target string) error { - f.mutex.Lock() -diff --git a/staging/src/k8s.io/mount-utils/mount.go b/staging/src/k8s.io/mount-utils/mount.go -index c78cf13..9e2d5d9 100644 ---- a/staging/src/k8s.io/mount-utils/mount.go -+++ b/staging/src/k8s.io/mount-utils/mount.go -@@ -48,6 +48,8 @@ type Interface interface { - MountSensitive(source string, target string, fstype string, options []string, sensitiveOptions []string) error - // MountSensitiveWithoutSystemd is the same as MountSensitive() but this method disable using systemd mount. - MountSensitiveWithoutSystemd(source string, target string, fstype string, options []string, sensitiveOptions []string) error -+ // MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd() with additional mount flags -+ MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error - // Unmount unmounts given target. - Unmount(target string) error - // List returns a list of all mounted filesystems. This can be large. -diff --git a/staging/src/k8s.io/mount-utils/mount_linux.go b/staging/src/k8s.io/mount-utils/mount_linux.go -index 20993cf..e9daa56 100644 ---- a/staging/src/k8s.io/mount-utils/mount_linux.go -+++ b/staging/src/k8s.io/mount-utils/mount_linux.go -@@ -83,11 +83,11 @@ func (mounter *Mounter) MountSensitive(source string, target string, fstype stri - mounterPath := "" - bind, bindOpts, bindRemountOpts, bindRemountOptsSensitive := MakeBindOptsSensitive(options, sensitiveOptions) - if bind { -- err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, true) -+ err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, nil /* mountFlags */, true) - if err != nil { - return err - } -- return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, true) -+ return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, nil /* mountFlags */, true) - } - // The list of filesystems that require containerized mounter on GCI image cluster - fsTypesNeedMounter := map[string]struct{}{ -@@ -99,19 +99,24 @@ func (mounter *Mounter) MountSensitive(source string, target string, fstype stri - if _, ok := fsTypesNeedMounter[fstype]; ok { - mounterPath = mounter.mounterPath - } -- return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, true) -+ return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, nil /* mountFlags */, true) - } - - // MountSensitiveWithoutSystemd is the same as MountSensitive() but disable using systemd mount. - func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target string, fstype string, options []string, sensitiveOptions []string) error { -+ return mounter.MountSensitiveWithoutSystemdWithMountFlags(source, target, fstype, options, sensitiveOptions, nil /* mountFlags */) -+} -+ -+// MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd with additional mount flags. -+func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error { - mounterPath := "" - bind, bindOpts, bindRemountOpts, bindRemountOptsSensitive := MakeBindOptsSensitive(options, sensitiveOptions) - if bind { -- err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, false) -+ err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, mountFlags, false) - if err != nil { - return err - } -- return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, false) -+ return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, mountFlags, false) - } - // The list of filesystems that require containerized mounter on GCI image cluster - fsTypesNeedMounter := map[string]struct{}{ -@@ -123,14 +128,14 @@ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target strin - if _, ok := fsTypesNeedMounter[fstype]; ok { - mounterPath = mounter.mounterPath - } -- return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, false) -+ return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, mountFlags, false) - } - - // doMount runs the mount command. mounterPath is the path to mounter binary if containerized mounter is used. - // sensitiveOptions is an extension of options except they will not be logged (because they may contain sensitive material) - // systemdMountRequired is an extension of option to decide whether uses systemd mount. --func (mounter *Mounter) doMount(mounterPath string, mountCmd string, source string, target string, fstype string, options []string, sensitiveOptions []string, systemdMountRequired bool) error { -- mountArgs, mountArgsLogStr := MakeMountArgsSensitive(source, target, fstype, options, sensitiveOptions) -+func (mounter *Mounter) doMount(mounterPath string, mountCmd string, source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string, systemdMountRequired bool) error { -+ mountArgs, mountArgsLogStr := MakeMountArgsSensitive(source, target, fstype, options, sensitiveOptions, mountFlags) - if len(mounterPath) > 0 { - mountArgs = append([]string{mountCmd}, mountArgs...) - mountArgsLogStr = mountCmd + " " + mountArgsLogStr -@@ -206,17 +211,21 @@ func detectSystemd() bool { - // MakeMountArgs makes the arguments to the mount(8) command. - // options MUST not contain sensitive material (like passwords). - func MakeMountArgs(source, target, fstype string, options []string) (mountArgs []string) { -- mountArgs, _ = MakeMountArgsSensitive(source, target, fstype, options, nil /* sensitiveOptions */) -+ mountArgs, _ = MakeMountArgsSensitive(source, target, fstype, options, nil /* sensitiveOptions */, nil /* mountFlags */) - return mountArgs - } - - // MakeMountArgsSensitive makes the arguments to the mount(8) command. - // sensitiveOptions is an extension of options except they will not be logged (because they may contain sensitive material) --func MakeMountArgsSensitive(source, target, fstype string, options []string, sensitiveOptions []string) (mountArgs []string, mountArgsLogStr string) { -+func MakeMountArgsSensitive(source, target, fstype string, options []string, sensitiveOptions []string, mountFlags []string) (mountArgs []string, mountArgsLogStr string) { - // Build mount command as follows: -- // mount [-t $fstype] [-o $options] [$source] $target -+ // mount [--$mountFlags] [-t $fstype] [-o $options] [$source] $target - mountArgs = []string{} - mountArgsLogStr = "" -+ -+ mountArgs = append(mountArgs, mountFlags...) -+ mountArgsLogStr += strings.Join(mountFlags, " ") -+ - if len(fstype) > 0 { - mountArgs = append(mountArgs, "-t", fstype) - mountArgsLogStr += strings.Join(mountArgs, " ") -diff --git a/staging/src/k8s.io/mount-utils/mount_windows.go b/staging/src/k8s.io/mount-utils/mount_windows.go -index 358bcf5..92b42ca 100644 ---- a/staging/src/k8s.io/mount-utils/mount_windows.go -+++ b/staging/src/k8s.io/mount-utils/mount_windows.go -@@ -64,6 +64,12 @@ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target strin - return mounter.MountSensitive(source, target, fstype, options, sensitiveOptions /* sensitiveOptions */) - } - -+// MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd with additional mount flags -+// Windows not supported systemd mount, this function degrades to MountSensitive(). -+func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error { -+ return mounter.MountSensitive(source, target, fstype, options, sensitiveOptions /* sensitiveOptions */) -+} -+ - // MountSensitive is the same as Mount() but this method allows - // sensitiveOptions to be passed in a separate parameter from the normal - // mount options and ensures the sensitiveOptions are never logged. This --- -1.8.3.1 - diff --git a/0006-kubelet-support-attach-websocket-protocol.patch b/0006-kubelet-support-attach-websocket-protocol.patch deleted file mode 100644 index 02a7de7..0000000 --- a/0006-kubelet-support-attach-websocket-protocol.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 460bb849ad71236890c2c3fa7757a0cdbfda2c2b Mon Sep 17 00:00:00 2001 -From: zhangxiaoyu -Date: Sat, 19 Mar 2022 16:23:01 +0800 -Subject: [PATCH] kubelet support attach websocket protocol - -Signed-off-by: zhangxiaoyu ---- - pkg/kubelet/server/server.go | 22 ++++++++++++++++++---- - 1 file changed, 18 insertions(+), 4 deletions(-) - -diff --git a/pkg/kubelet/server/server.go b/pkg/kubelet/server/server.go -index 1d19fed6..0cf69b5f 100644 ---- a/pkg/kubelet/server/server.go -+++ b/pkg/kubelet/server/server.go -@@ -757,27 +757,41 @@ func proxyStream(w http.ResponseWriter, r *http.Request, url *url.URL) { - - // getAttach handles requests to attach to a container. - func (s *Server) getAttach(request *restful.Request, response *restful.Response) { -- params := getExecRequestParams(request) - streamOpts, err := remotecommandserver.NewOptions(request.Request) - if err != nil { - utilruntime.HandleError(err) - response.WriteError(http.StatusBadRequest, err) - return - } -+ -+ url, err := s.getAttachUrl(request, response, streamOpts) -+ if err != nil { -+ klog.Errorf("failed to get backend url %v", err) -+ return -+ } -+ if url.Scheme == "ws" || url.Scheme == "wss" { -+ remotecommandserver.ProxyToWebSocket(response.ResponseWriter, request.Request, url, streamOpts) -+ } else { -+ proxyStream(response.ResponseWriter, request.Request, url) -+ } -+} -+ -+func (s *Server) getAttachUrl(request *restful.Request, response *restful.Response, streamOpts *remotecommandserver.Options) (*url.URL, error) { -+ params := getExecRequestParams(request) - pod, ok := s.host.GetPodByName(params.podNamespace, params.podName) - if !ok { - response.WriteError(http.StatusNotFound, fmt.Errorf("pod does not exist")) -- return -+ return nil, fmt.Errorf("pod not found") - } - - podFullName := kubecontainer.GetPodFullName(pod) - url, err := s.host.GetAttach(podFullName, params.podUID, params.containerName, *streamOpts) - if err != nil { - streaming.WriteError(err, response.ResponseWriter) -- return -+ return nil, err - } - -- proxyStream(response.ResponseWriter, request.Request, url) -+ return url, nil - } - - // getExec handles requests to run a command inside a container. --- -2.25.1 - diff --git a/0008-kubelet-fix-websocket-reference-nil-pointer.patch b/0008-kubelet-fix-websocket-reference-nil-pointer.patch deleted file mode 100644 index 9b5f477..0000000 --- a/0008-kubelet-fix-websocket-reference-nil-pointer.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 760129610e5b54d548247490899a8595cea2d5b8 Mon Sep 17 00:00:00 2001 -From: zhangxiaoyu -Date: Mon, 31 Oct 2022 17:15:51 +0800 -Subject: [PATCH] kubelet fix websocket reference nul pointer - -Signed-off-by: zhangxiaoyu ---- - .../cri/streaming/remotecommand/proxy.go | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/pkg/kubelet/cri/streaming/remotecommand/proxy.go b/pkg/kubelet/cri/streaming/remotecommand/proxy.go -index 76222d90..f21629af 100644 ---- a/pkg/kubelet/cri/streaming/remotecommand/proxy.go -+++ b/pkg/kubelet/cri/streaming/remotecommand/proxy.go -@@ -169,14 +169,23 @@ func connectBackend(addr, subprotocol string, r *http.Request) (*websocket.Conn, - websocket.DefaultDialer.ReadBufferSize = 128 * 1024 - websocket.DefaultDialer.WriteBufferSize = 128 * 1024 - ws, resp, err := websocket.DefaultDialer.Dial(addr, h) -- if err != nil { -+ if err == nil { -+ return ws, nil -+ } -+ msg := fmt.Errorf("dial failed: %v, response Body is nil", err) -+ if resp != nil && resp.Body != nil { -+ defer func() { -+ //websocket buffer size maybe not enough and cause panic -+ if e := recover(); e != nil { -+ msg = fmt.Errorf("dial failed: %v, response panic %v", err, e) -+ } -+ resp.Body.Close() -+ }() - var body bytes.Buffer - body.ReadFrom(resp.Body) -- defer resp.Body.Close() -- msg := fmt.Errorf("dial failed: %v, response is: %v", err, body.String()) -- return nil, msg -+ msg = fmt.Errorf("dial failed: %v, response is: %v", err, body.String()) - } -- return ws, nil -+ return nil, msg - } - - type rwc struct { --- -2.25.1 - diff --git a/0011-Remove-Endpoints-write-access-from-aggregated-edit-r.patch b/0011-Remove-Endpoints-write-access-from-aggregated-edit-r.patch deleted file mode 100644 index f4d71a1..0000000 --- a/0011-Remove-Endpoints-write-access-from-aggregated-edit-r.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 416efdab26afe06cf2b57991dfac511769bf508b Mon Sep 17 00:00:00 2001 -From: Rob Scott -Date: Tue, 13 Jul 2021 22:17:12 -0700 -Subject: [PATCH] Remove Endpoints write access from aggregated edit role - ---- - plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 2 +- - .../authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml | 1 - - 2 files changed, 1 insertion(+), 2 deletions(-) - -diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go -index 352543a2..903c6723 100644 ---- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go -+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go -@@ -286,7 +286,7 @@ func ClusterRoles() []rbacv1.ClusterRole { - - rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("pods", "pods/attach", "pods/proxy", "pods/exec", "pods/portforward").RuleOrDie(), - rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts", -- "services", "services/proxy", "endpoints", "persistentvolumeclaims", "configmaps", "secrets").RuleOrDie(), -+ "services", "services/proxy", "persistentvolumeclaims", "configmaps", "secrets").RuleOrDie(), - - rbacv1helpers.NewRule(Write...).Groups(appsGroup).Resources( - "statefulsets", "statefulsets/scale", -diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml -index 2f571c76..e869c122 100644 ---- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml -+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml -@@ -128,7 +128,6 @@ items: - - "" - resources: - - configmaps -- - endpoints - - persistentvolumeclaims - - replicationcontrollers - - replicationcontrollers/scale --- -2.25.1 - diff --git a/kubernetes.spec b/kubernetes.spec index 84f901c..dda3f75 100644 --- a/kubernetes.spec +++ b/kubernetes.spec @@ -2,12 +2,12 @@ %global _buildshell /bin/bash Name: kubernetes -Version: 1.20.2 -Release: 16 +Version: 1.24.0 +Release: 1 Summary: Container cluster management License: ASL 2.0 URL: https://k8s.io/kubernetes -Source0: https://github.com/kubernetes/kubernetes/archive/v1.20.2.tar.gz +Source0: https://github.com/kubernetes/kubernetes/archive/v1.24.0.tar.gz Source1: kube-proxy.service Source2: kube-apiserver.service Source3: kube-scheduler.service @@ -24,17 +24,11 @@ Source13: kubernetes-accounting.conf Source14: kubeadm.conf Source15: kubernetes.conf -Patch6000: 0001-kubelet-support-exec-websocket-protocol.patch -Patch6001: 0002-fix-compile-options.patch -Patch6002: 0003-fix-CVE-2021-25735.patch -Patch6003: 0004-fix-CVE-2021-25737.patch -Patch6004: 0005-fix-CVE-2021-25741.patch -Patch6005: 0006-kubelet-support-attach-websocket-protocol.patch -Patch6006: 0007-Add-an-option-for-aggregator.patch -Patch6007: 0008-kubelet-fix-websocket-reference-nil-pointer.patch -Patch6008: 0009-timeout-wait-backend-to-frontend-complete.patch -Patch6009: 0010-Escape-terminal-special-characters-in-kubectl-112553.patch -Patch6010: 0011-Remove-Endpoints-write-access-from-aggregated-edit-r.patch +Patch0001: 0001-fix-compile-options.patch +Patch0002: 0002-kubelet-support-exec-and-attach-websocket-protocol.patch +Patch0003: 0003-timeout-wait-backend-to-frontend-complete.patch +Patch0004: 0004-Add-an-option-for-aggregator.patch +Patch0005: 0005-Escape-terminal-special-characters-in-kubectl-112553.patch %description Container cluster management. @@ -95,7 +89,7 @@ Summary: Help documents for kubernetes Help documents for kubernetes. %prep -%autosetup -n kubernetes-1.20.2 -p1 +%autosetup -n kubernetes-%{version} -p1 mkdir -p src/k8s.io/kubernetes mv $(ls | grep -v "^src$") src/k8s.io/kubernetes/. @@ -266,6 +260,12 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \ %systemd_postun kubelet kube-proxy %changelog +* Tue Jan 03 2023 zhangxiaoyu - 1.24.0-1 +- Type:update +- CVE:NA +- SUG:NA +- DESC:update to 1.24.0 + * Thu Dec 08 2022 zhangxiaoyu - 1.20.2-16 - Type:bugfix - CVE:NA @@ -314,13 +314,13 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \ * Mon Mar 22 2021 wangfengtu - 1.20.2-4 - Fix compile options -* The Feb 09 2021 lixiang - 1.20.2-3 +* Tue Feb 09 2021 lixiang - 1.20.2-3 - Remove go-md2man build require since it's no longer provided -* Thu Feb 2 2021 gaohuatao - 1.20.2-2 +* Tue Feb 2 2021 gaohuatao - 1.20.2-2 - Add kubelet support ws -* Fri Jan 20 2021 lixiang - 1.20.2-1 +* Wed Jan 20 2021 lixiang - 1.20.2-1 - Bump version to v1.20.2 * Fri Sep 18 2020 xiadanni - 1.18.6-3 diff --git a/v1.20.2.tar.gz b/v1.24.0.tar.gz similarity index 70% rename from v1.20.2.tar.gz rename to v1.24.0.tar.gz index c72f325..01592a6 100644 Binary files a/v1.20.2.tar.gz and b/v1.24.0.tar.gz differ