!195 fix CVE-2025-0426

From: @liuxu180400617 
Reviewed-by: @xuxuepeng 
Signed-off-by: @xuxuepeng

0004-Add-processStartTime-in-metrics-slis.patch

@@ -0,0 +1,21 @@
+From 60a564c9204c67fbdead9d2e183e7ae1802e2dfb Mon Sep 17 00:00:00 2001
+From: Richa Banker <richabanker@google.com>
+Date: Thu, 11 Jan 2024 21:13:43 -0800
+Subject: [PATCH] Add processStartTime in metrics/slis
+
+---
+ .../src/k8s.io/component-base/metrics/prometheus/slis/metrics.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/staging/src/k8s.io/component-base/metrics/prometheus/slis/metrics.go b/staging/src/k8s.io/component-base/metrics/prometheus/slis/metrics.go
+index 3d464d12d75e2..39cd2ba288587 100644
+--- a/staging/src/k8s.io/component-base/metrics/prometheus/slis/metrics.go
++++ b/staging/src/k8s.io/component-base/metrics/prometheus/slis/metrics.go
+@@ -57,6 +57,7 @@ var (
+ func Register(registry k8smetrics.KubeRegistry) {
+ 	registry.Register(healthcheck)
+ 	registry.Register(healthchecksTotal)
++	_ = k8smetrics.RegisterProcessStartTime(registry.Register)
+ }
+ 
+ func ResetHealthMetrics() {

0005-fix-a-bug-where-the-uploaded-kubelet-configuration-in-kube-system-kubelet-config-ConfigMap-does-not-respect-user.patch

@@ -0,0 +1,123 @@
+From 3dbf97d91090e73b7e3acaea003725d8fedf49ff Mon Sep 17 00:00:00 2001
+From: Shida Qiu <shidaqiu2018@gmail.com>
+Date: Fri, 2 Feb 2024 20:34:30 +0800
+Subject: [PATCH] Revert "kubeadm: fix a bug where the uploaded kubelet
+ configuration in kube-system/kubelet-config ConfigMap does not respect user
+ patch"
+
+---
+ cmd/kubeadm/app/cmd/phases/init/uploadconfig.go | 14 +++++++-------
+ cmd/kubeadm/app/phases/kubelet/config.go        | 16 ++++------------
+ cmd/kubeadm/app/phases/kubelet/config_test.go   |  2 +-
+ cmd/kubeadm/app/phases/upgrade/postupgrade.go   |  2 +-
+ 4 files changed, 13 insertions(+), 21 deletions(-)
+
+diff --git a/cmd/kubeadm/app/cmd/phases/init/uploadconfig.go b/cmd/kubeadm/app/cmd/phases/init/uploadconfig.go
+index 88be945750f62..c9338f189908c 100644
+--- a/cmd/kubeadm/app/cmd/phases/init/uploadconfig.go
++++ b/cmd/kubeadm/app/cmd/phases/init/uploadconfig.go
+@@ -104,7 +104,7 @@ func getUploadConfigPhaseFlags() []string {
+ 
+ // runUploadKubeadmConfig uploads the kubeadm configuration to a ConfigMap
+ func runUploadKubeadmConfig(c workflow.RunData) error {
+-	cfg, client, _, err := getUploadConfigData(c)
++	cfg, client, err := getUploadConfigData(c)
+ 	if err != nil {
+ 		return err
+ 	}
+@@ -118,13 +118,13 @@ func runUploadKubeadmConfig(c workflow.RunData) error {
+ 
+ // runUploadKubeletConfig uploads the kubelet configuration to a ConfigMap
+ func runUploadKubeletConfig(c workflow.RunData) error {
+-	cfg, client, patchesDir, err := getUploadConfigData(c)
++	cfg, client, err := getUploadConfigData(c)
+ 	if err != nil {
+ 		return err
+ 	}
+ 
+ 	klog.V(1).Infoln("[upload-config] Uploading the kubelet component config to a ConfigMap")
+-	if err = kubeletphase.CreateConfigMap(&cfg.ClusterConfiguration, patchesDir, client); err != nil {
++	if err = kubeletphase.CreateConfigMap(&cfg.ClusterConfiguration, client); err != nil {
+ 		return errors.Wrap(err, "error creating kubelet configuration ConfigMap")
+ 	}
+ 
+@@ -135,15 +135,15 @@ func runUploadKubeletConfig(c workflow.RunData) error {
+ 	return nil
+ }
+ 
+-func getUploadConfigData(c workflow.RunData) (*kubeadmapi.InitConfiguration, clientset.Interface, string, error) {
++func getUploadConfigData(c workflow.RunData) (*kubeadmapi.InitConfiguration, clientset.Interface, error) {
+ 	data, ok := c.(InitData)
+ 	if !ok {
+-		return nil, nil, "", errors.New("upload-config phase invoked with an invalid data struct")
++		return nil, nil, errors.New("upload-config phase invoked with an invalid data struct")
+ 	}
+ 	cfg := data.Cfg()
+ 	client, err := data.Client()
+ 	if err != nil {
+-		return nil, nil, "", err
++		return nil, nil, err
+ 	}
+-	return cfg, client, data.PatchesDir(), err
++	return cfg, client, err
+ }
+diff --git a/cmd/kubeadm/app/phases/kubelet/config.go b/cmd/kubeadm/app/phases/kubelet/config.go
+index 2adc8d8631eb3..3236edb58b679 100644
+--- a/cmd/kubeadm/app/phases/kubelet/config.go
++++ b/cmd/kubeadm/app/phases/kubelet/config.go
+@@ -68,7 +68,10 @@ func WriteConfigToDisk(cfg *kubeadmapi.ClusterConfiguration, kubeletDir, patches
+ 
+ // CreateConfigMap creates a ConfigMap with the generic kubelet configuration.
+ // Used at "kubeadm init" and "kubeadm upgrade" time
+-func CreateConfigMap(cfg *kubeadmapi.ClusterConfiguration, patchesDir string, client clientset.Interface) error {
++func CreateConfigMap(cfg *kubeadmapi.ClusterConfiguration, client clientset.Interface) error {
++	configMapName := kubeadmconstants.KubeletBaseConfigurationConfigMap
++	fmt.Printf("[kubelet] Creating a ConfigMap %q in namespace %s with the configuration for the kubelets in the cluster\n", configMapName, metav1.NamespaceSystem)
++
+ 	kubeletCfg, ok := cfg.ComponentConfigs[componentconfigs.KubeletGroup]
+ 	if !ok {
+ 		return errors.New("no kubelet component config found in the active component config set")
+@@ -79,17 +82,6 @@ func CreateConfigMap(cfg *kubeadmapi.ClusterConfiguration, patchesDir string, cl
+ 		return err
+ 	}
+ 
+-	// Apply patches to the KubeletConfiguration
+-	if len(patchesDir) != 0 {
+-		kubeletBytes, err = applyKubeletConfigPatches(kubeletBytes, patchesDir, os.Stdout)
+-		if err != nil {
+-			return errors.Wrap(err, "could not apply patches to the KubeletConfiguration")
+-		}
+-	}
+-
+-	configMapName := kubeadmconstants.KubeletBaseConfigurationConfigMap
+-	fmt.Printf("[kubelet] Creating a ConfigMap %q in namespace %s with the configuration for the kubelets in the cluster\n", configMapName, metav1.NamespaceSystem)
+-
+ 	configMap := &v1.ConfigMap{
+ 		ObjectMeta: metav1.ObjectMeta{
+ 			Name:      configMapName,
+diff --git a/cmd/kubeadm/app/phases/kubelet/config_test.go b/cmd/kubeadm/app/phases/kubelet/config_test.go
+index 5399d66a84610..f1add0f831276 100644
+--- a/cmd/kubeadm/app/phases/kubelet/config_test.go
++++ b/cmd/kubeadm/app/phases/kubelet/config_test.go
+@@ -58,7 +58,7 @@ func TestCreateConfigMap(t *testing.T) {
+ 		t.Fatalf("unexpected failure when defaulting InitConfiguration: %v", err)
+ 	}
+ 
+-	if err := CreateConfigMap(&internalcfg.ClusterConfiguration, "", client); err != nil {
++	if err := CreateConfigMap(&internalcfg.ClusterConfiguration, client); err != nil {
+ 		t.Errorf("CreateConfigMap: unexpected error %v", err)
+ 	}
+ }
+diff --git a/cmd/kubeadm/app/phases/upgrade/postupgrade.go b/cmd/kubeadm/app/phases/upgrade/postupgrade.go
+index 336efbf2174fb..c394eab681908 100644
+--- a/cmd/kubeadm/app/phases/upgrade/postupgrade.go
++++ b/cmd/kubeadm/app/phases/upgrade/postupgrade.go
+@@ -61,7 +61,7 @@ func PerformPostUpgradeTasks(client clientset.Interface, cfg *kubeadmapi.InitCon
+ 	}
+ 
+ 	// Create the new, version-branched kubelet ComponentConfig ConfigMap
+-	if err := kubeletphase.CreateConfigMap(&cfg.ClusterConfiguration, patchesDir, client); err != nil {
++	if err := kubeletphase.CreateConfigMap(&cfg.ClusterConfiguration, client); err != nil {
+ 		errs = append(errs, errors.Wrap(err, "error creating kubelet configuration ConfigMap"))
+ 	}
+ 

0006-adapt-go-version.patch

@@ -0,0 +1,371 @@
+From c45cd1faab39d505e289148a43b3d57b7545a892 Mon Sep 17 00:00:00 2001
+From: liuxu <liuxu156@huawei.com>
+Date: Thu, 28 Nov 2024 17:23:38 +0800
+Subject: [PATCH] adapt go version
+
+Signed-off-by: liuxu <liuxu156@huawei.com>
+---
+ .go-version                     |  2 +-
+ build/build-image/cross/VERSION |  2 +-
+ build/common.sh                 |  2 +-
+ build/dependencies.yaml         |  6 ++--
+ staging/publishing/rules.yaml   | 62 ++++++++++++++++-----------------
+ test/images/Makefile            |  2 +-
+ 6 files changed, 38 insertions(+), 38 deletions(-)
+
+diff --git a/.go-version b/.go-version
+index 6e83421e4fd..3d8ac637188 100644
+--- a/.go-version
++++ b/.go-version
+@@ -1 +1 @@
+-1.21.6
+\ No newline at end of file
++1.21.4
+\ No newline at end of file
+diff --git a/build/build-image/cross/VERSION b/build/build-image/cross/VERSION
+index 5d4ae206a18..8ac11054699 100644
+--- a/build/build-image/cross/VERSION
++++ b/build/build-image/cross/VERSION
+@@ -1 +1 @@
+-v1.29.0-go1.21.6-bullseye.0
++v1.29.0-go1.21.4-bullseye.0
+diff --git a/build/common.sh b/build/common.sh
+index bd6a01a2074..da083d18ceb 100755
+--- a/build/common.sh
++++ b/build/common.sh
+@@ -97,7 +97,7 @@ readonly KUBE_CONTAINER_RSYNC_PORT=8730
+ 
+ # These are the default versions (image tags) for their respective base images.
+ readonly __default_distroless_iptables_version=v0.4.4
+-readonly __default_go_runner_version=v2.3.1-go1.21.6-bookworm.0
++readonly __default_go_runner_version=v2.3.1-go1.21.4-bookworm.0
+ readonly __default_setcap_version=bookworm-v1.0.0
+ 
+ # These are the base images for the Docker-wrapped binaries.
+diff --git a/build/dependencies.yaml b/build/dependencies.yaml
+index 3a17f6b4bf5..9da3bee180a 100644
+--- a/build/dependencies.yaml
++++ b/build/dependencies.yaml
+@@ -118,7 +118,7 @@ dependencies:
+ 
+   # Golang
+   - name: "golang: upstream version"
+-    version: 1.21.6
++    version: 1.21.4
+     refPaths:
+     - path: .go-version
+     - path: build/build-image/cross/VERSION
+@@ -140,7 +140,7 @@ dependencies:
+       match: minimum_go_version=go([0-9]+\.[0-9]+)
+ 
+   - name: "registry.k8s.io/kube-cross: dependents"
+-    version: v1.29.0-go1.21.6-bullseye.0
++    version: v1.29.0-go1.21.4-bullseye.0
+     refPaths:
+     - path: build/build-image/cross/VERSION
+ 
+@@ -186,7 +186,7 @@ dependencies:
+       match: configs\[DistrolessIptables\] = Config{list\.BuildImageRegistry, "distroless-iptables", "v([0-9]+)\.([0-9]+)\.([0-9]+)"}
+ 
+   - name: "registry.k8s.io/go-runner: dependents"
+-    version: v2.3.1-go1.21.6-bookworm.0
++    version: v2.3.1-go1.21.4-bookworm.0
+     refPaths:
+     - path: build/common.sh
+       match: __default_go_runner_version=
+diff --git a/staging/publishing/rules.yaml b/staging/publishing/rules.yaml
+index 62071c41ee2..f1dae4f5031 100644
+--- a/staging/publishing/rules.yaml
++++ b/staging/publishing/rules.yaml
+@@ -31,7 +31,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/code-generator
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     source:
+       branch: release-1.29
+       dirs:
+@@ -68,7 +68,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/apimachinery
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     source:
+       branch: release-1.29
+       dirs:
+@@ -121,7 +121,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/api
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -207,7 +207,7 @@ rules:
+       go build -mod=mod ./...
+       go test -mod=mod ./...
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -289,7 +289,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/component-base
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -369,7 +369,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/component-helpers
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -425,7 +425,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/kms
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -519,7 +519,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/apiserver
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -641,7 +641,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/kube-aggregator
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -791,7 +791,7 @@ rules:
+       # assumes GO111MODULE=on
+       go build -mod=mod .
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -918,7 +918,7 @@ rules:
+       # assumes GO111MODULE=on
+       go build -mod=mod .
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -1052,7 +1052,7 @@ rules:
+     required-packages:
+     - k8s.io/code-generator
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -1151,7 +1151,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/metrics
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -1233,7 +1233,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/cli-runtime
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: api
+       branch: release-1.29
+@@ -1323,7 +1323,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/sample-cli-plugin
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: api
+       branch: release-1.29
+@@ -1414,7 +1414,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/kube-proxy
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -1461,7 +1461,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/cri-api
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     source:
+       branch: release-1.29
+       dirs:
+@@ -1556,7 +1556,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/kubelet
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -1654,7 +1654,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/kube-scheduler
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -1764,7 +1764,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/controller-manager
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: api
+       branch: release-1.29
+@@ -1898,7 +1898,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/cloud-provider
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: api
+       branch: release-1.29
+@@ -2046,7 +2046,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/kube-controller-manager
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -2128,7 +2128,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/cluster-bootstrap
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -2196,7 +2196,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/csi-translation-lib
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: api
+       branch: release-1.29
+@@ -2239,7 +2239,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/mount-utils
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     source:
+       branch: release-1.29
+       dirs:
+@@ -2378,7 +2378,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/legacy-cloud-providers
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: api
+       branch: release-1.29
+@@ -2520,7 +2520,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/kubectl
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: api
+       branch: release-1.29
+@@ -2638,7 +2638,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/pod-security-admission
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: api
+       branch: release-1.29
+@@ -2735,7 +2735,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/dynamic-resource-allocation
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: apimachinery
+       branch: release-1.29
+@@ -2787,7 +2787,7 @@ rules:
+       dirs:
+       - staging/src/k8s.io/endpointslice
+   - name: release-1.29
+-    go: 1.21.6
++    go: 1.21.4
+     dependencies:
+     - repository: api
+       branch: release-1.29
+@@ -2803,4 +2803,4 @@ rules:
+       - staging/src/k8s.io/endpointslice
+ recursive-delete-patterns:
+ - '*/.gitattributes'
+-default-go-version: 1.21.6
++default-go-version: 1.21.4
+diff --git a/test/images/Makefile b/test/images/Makefile
+index 92e854649d5..6fb6d7c3e38 100644
+--- a/test/images/Makefile
++++ b/test/images/Makefile
+@@ -16,7 +16,7 @@ REGISTRY ?= registry.k8s.io/e2e-test-images
+ GOARM ?= 7
+ DOCKER_CERT_BASE_PATH ?=
+ QEMUVERSION=v5.1.0-2
+-GOLANG_VERSION=1.21.6
++GOLANG_VERSION=1.21.4
+ export
+ 
+ ifndef WHAT
+-- 
+2.43.0
+

0007-gitRepo-volume-directory-must-be-max-1-level-deep.patch

@@ -0,0 +1,56 @@
+From c7846fd24c16266a3bfd86315171f5b4d5f0c9c9 Mon Sep 17 00:00:00 2001
+From: Imre Rad <imrer@google.com>
+Date: Thu, 25 Apr 2024 14:21:51 +0000
+Subject: [PATCH] gitRepo volume: directory must be max 1 level deep
+
+More details on Hackerone #2266560
+---
+ pkg/volume/git_repo/git_repo.go      |  6 ++++++
+ pkg/volume/git_repo/git_repo_test.go | 14 ++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/pkg/volume/git_repo/git_repo.go b/pkg/volume/git_repo/git_repo.go
+index 995018d9007..b3827b92ad0 100644
+--- a/pkg/volume/git_repo/git_repo.go
++++ b/pkg/volume/git_repo/git_repo.go
+@@ -261,6 +261,12 @@ func validateVolume(src *v1.GitRepoVolumeSource) error {
+ 	if err := validateNonFlagArgument(src.Directory, "directory"); err != nil {
+ 		return err
+ 	}
++	if (src.Revision != "") && (src.Directory != "") {
++		cleanedDir := filepath.Clean(src.Directory)
++		if strings.Contains(cleanedDir, "/") || (strings.Contains(cleanedDir, "\\")) {
++			return fmt.Errorf("%q is not a valid directory, it must not contain a directory separator", src.Directory)
++		}
++	}
+ 	return nil
+ }
+ 
+diff --git a/pkg/volume/git_repo/git_repo_test.go b/pkg/volume/git_repo/git_repo_test.go
+index 5b1461be892..650f765cc48 100644
+--- a/pkg/volume/git_repo/git_repo_test.go
++++ b/pkg/volume/git_repo/git_repo_test.go
+@@ -267,6 +267,20 @@ func TestPlugin(t *testing.T) {
+ 			},
+ 			isExpectedFailure: true,
+ 		},
++		{
++			name: "invalid-revision-directory-combo",
++			vol: &v1.Volume{
++				Name: "vol1",
++				VolumeSource: v1.VolumeSource{
++					GitRepo: &v1.GitRepoVolumeSource{
++						Repository: gitURL,
++						Revision:   "main",
++						Directory:  "foo/bar",
++					},
++				},
++			},
++			isExpectedFailure: true,
++		},
+ 	}
+ 
+ 	for _, scenario := range scenarios {
+-- 
+2.34.1
+

0008-Kubelet-server-handler-cleanup.patch

@@ -0,0 +1,52 @@
+From ce40efb4ef6efddc12e371a688687aa818d1ee53 Mon Sep 17 00:00:00 2001
+From: Tim Allclair <tallclair@google.com>
+Date: Tue, 21 Jan 2025 16:31:52 -0800
+Subject: [PATCH] Kubelet server handler cleanup
+
+---
+ pkg/kubelet/server/server.go | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/pkg/kubelet/server/server.go b/pkg/kubelet/server/server.go
+index 87a017f9ccc..483faa60f4f 100644
+--- a/pkg/kubelet/server/server.go
++++ b/pkg/kubelet/server/server.go
+@@ -443,17 +443,6 @@ func (s *Server) InstallDefaultHandlers() {
+ 	s.restfulCont.Handle(proberMetricsPath,
+ 		compbasemetrics.HandlerFor(p, compbasemetrics.HandlerOpts{ErrorHandling: compbasemetrics.ContinueOnError}),
+ 	)
+-
+-	// Only enable checkpoint API if the feature is enabled
+-	if utilfeature.DefaultFeatureGate.Enabled(features.ContainerCheckpoint) {
+-		s.addMetricsBucketMatcher("checkpoint")
+-		ws = &restful.WebService{}
+-		ws.Path("/checkpoint").Produces(restful.MIME_JSON)
+-		ws.Route(ws.POST("/{podNamespace}/{podID}/{containerName}").
+-			To(s.checkpoint).
+-			Operation("checkpoint"))
+-		s.restfulCont.Add(ws)
+-	}
+ }
+ 
+ // InstallDebuggingHandlers registers the HTTP request patterns that serve logs or run commands/containers
+@@ -548,6 +537,17 @@ func (s *Server) InstallDebuggingHandlers() {
+ 		To(s.getRunningPods).
+ 		Operation("getRunningPods"))
+ 	s.restfulCont.Add(ws)
++
++	// Only enable checkpoint API if the feature is enabled
++	if utilfeature.DefaultFeatureGate.Enabled(features.ContainerCheckpoint) {
++		s.addMetricsBucketMatcher("checkpoint")
++		ws = &restful.WebService{}
++		ws.Path("/checkpoint").Produces(restful.MIME_JSON)
++		ws.Route(ws.POST("/{podNamespace}/{podID}/{containerName}").
++			To(s.checkpoint).
++			Operation("checkpoint"))
++		s.restfulCont.Add(ws)
++	}
+ }
+ 
+ // InstallDebuggingDisabledHandlers registers the HTTP request patterns that provide better error message
+-- 
+2.34.1
+

kubernetes.spec

@@ -3,7 +3,7 @@
 
 Name:         kubernetes
 Version:      1.29.1
-Release:      6
+Release:      11
 Summary:      Container cluster management
 License:      ASL 2.0
 URL:          https://k8s.io/kubernetes
@@ -27,12 +27,14 @@ Source15:     kubernetes.conf
 Patch0001: 0001-fix-compile-options.patch
 Patch0002: 0002-kubelet-support-exec-and-attach-websocket-protocol.patch
 Patch0003: 0003-Add-envFrom-to-serviceaccount-admission-plugin.patch
-%ifarch riscv64
+Patch0004: 0004-Add-processStartTime-in-metrics-slis.patch
+Patch0005: 0005-fix-a-bug-where-the-uploaded-kubelet-configuration-in-kube-system-kubelet-config-ConfigMap-does-not-respect-user.patch
+Patch0006: 0006-adapt-go-version.patch
+Patch0007: 0007-gitRepo-volume-directory-must-be-max-1-level-deep.patch
+Patch0008: 0008-Kubelet-server-handler-cleanup.patch
+
 Patch1000: 1000-Add-riscv64-support-for-v1.29.1-kubernetes.patch
-%endif
-%ifarch loong64
 Patch1001: 1001-Add-loong64-host-build-support.patch 
-%endif
 
 %description
 Container cluster management.
@@ -93,7 +95,24 @@ Summary: Help documents for kubernetes
 Help documents for kubernetes.
 
 %prep
-%autosetup -n kubernetes-%{version} -p1
+%setup -n %{name}-%{version}
+%patch 0001 -p1
+%patch 0002 -p1
+%patch 0003 -p1
+%patch 0004 -p1
+%patch 0005 -p1
+%patch 0006 -p1
+%patch 0007 -p1
+%patch 0008 -p1
+
+%ifarch riscv64
+%patch 1000 -p1
+%endif
+
+%ifarch loongarch64
+%patch 1001 -p1
+%endif
+
 mkdir -p src/k8s.io/kubernetes
 mv $(ls | grep -v "^src$") src/k8s.io/kubernetes/.
 
@@ -271,6 +290,34 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \
 %systemd_postun kubelet kube-proxy
 
 %changelog
+* Mon Feb 24 2025 liuxu <liuxu156@huawei.com> - 1.29.1-11
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix CVE-2025-0426
+
+* Fri Dec 06 2024 shenzhongwei <shenzhongwei@kylinos.cn> - 1.29.1-10
+- TypeLbugfix
+- CVE:NA
+- SUG:NA
+- DECS:remove the architecture judgment in the patches section;
+       include all patches in the source package.
+
+* Thu Dec 05 2024 liuxu <liuxu156@huawei.com> - 1.29.1-9
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix CVE-2024-10220
+
+* Thu Nov 28 2024 liuxu <liuxu156@huawei.com> - 1.29.1-8
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:adapt go version
+
+* Tue Jul 9 2024 zhangxingrong-<zhangxingrong@uniontech.cn> - 1.29.1-7
+- DESC:Round Upstream Patchs
+
 * Wed Jul 03 2024 heruoqing <ruoqing@iscas.ac.cn> - 1.29.1-6
 - DESC: reapply riscv64 patch