From 675338ba8dda94bd9237a98593546091b619ae15 Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Sat, 15 Feb 2025 08:40:36 +0000 Subject: [PATCH] fix: CVE-2025-0426 --- go.mod | 16 ++++++++-------- go.sum | 8 ++++---- .../kubernetes/pkg/features/kube_features.go | 3 ++- .../pkg/volume/util/device_util_linux.go | 7 ++++++- .../util/recyclerclient/recycler_client.go | 7 ++++--- .../framework/debug/resource_usage_gatherer.go | 3 ++- .../test/e2e/framework/flake_reporting_util.go | 2 +- .../kubernetes/test/e2e/framework/framework.go | 4 ++-- .../test/e2e/framework/node/resource.go | 4 ++-- .../test/e2e/framework/skipper/skipper.go | 5 ++++- .../kubernetes/test/utils/density_utils.go | 3 ++- .../k8s.io/kubernetes/test/utils/deployment.go | 3 ++- .../kubernetes/test/utils/image/manifest.go | 2 +- vendor/k8s.io/kubernetes/test/utils/runners.go | 6 +++--- vendor/modules.txt | 18 +++++++++--------- 15 files changed, 52 insertions(+), 39 deletions(-) diff --git a/go.mod b/go.mod index f20baf2dd..848523438 100644 --- a/go.mod +++ b/go.mod @@ -28,13 +28,13 @@ require ( golang.org/x/sync v0.11.0 google.golang.org/grpc v1.67.1 google.golang.org/protobuf v1.36.5 - k8s.io/api v0.31.4 - k8s.io/apimachinery v0.31.4 - k8s.io/apiserver v0.31.3 - k8s.io/client-go v0.31.4 - k8s.io/component-base v0.31.3 + k8s.io/api v0.31.6 + k8s.io/apimachinery v0.31.6 + k8s.io/apiserver v0.31.6 + k8s.io/client-go v0.31.6 + k8s.io/component-base v0.31.6 k8s.io/klog/v2 v2.130.1 - k8s.io/kubernetes v1.31.3 + k8s.io/kubernetes v1.31.6 k8s.io/mount-utils v0.32.1 k8s.io/pod-security-admission v0.31.1 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 @@ -194,8 +194,8 @@ replace ( k8s.io/kube-proxy => k8s.io/kube-proxy v0.31.3 k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.31.3 k8s.io/kubectl => k8s.io/kubectl v0.31.3 - k8s.io/kubelet => k8s.io/kubelet v0.31.3 - k8s.io/kubernetes => k8s.io/kubernetes v1.31.3 + k8s.io/kubelet => k8s.io/kubelet v0.31.6 + k8s.io/kubernetes => k8s.io/kubernetes v1.31.6 k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.31.3 k8s.io/metrics => k8s.io/metrics v0.31.3 k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.31.3 diff --git a/go.sum b/go.sum index 65f21879e..17be1e6b3 100644 --- a/go.sum +++ b/go.sum @@ -454,10 +454,10 @@ k8s.io/kube-openapi v0.0.0-20240730131305-7a9a4e85957e h1:OnKkExfhk4yxMqvBSPzUfh k8s.io/kube-openapi v0.0.0-20240730131305-7a9a4e85957e/go.mod h1:0CVn9SVo8PeW5/JgsBZZIFmmTk5noOM8WXf2e1tCihE= k8s.io/kubectl v0.31.3 h1:3r111pCjPsvnR98oLLxDMwAeM6OPGmPty6gSKaLTQes= k8s.io/kubectl v0.31.3/go.mod h1:lhMECDCbJN8He12qcKqs2QfmVo9Pue30geovBVpH5fs= -k8s.io/kubelet v0.31.3 h1:DIXRAmvVGp42mV2vpA1GCLU6oO8who0/vp3Oq6kSpbI= -k8s.io/kubelet v0.31.3/go.mod h1:KSdbEfNy5VzqUlAHlytA/fH12s+sE1u8fb/8JY9sL/8= -k8s.io/kubernetes v1.31.3 h1:oqb7HdfnTelrGlZ6ziNugvQ/L/aJWR704114EAhUn9Q= -k8s.io/kubernetes v1.31.3/go.mod h1:9xmT2buyTYj8TRKwRae7FcuY8k5+xlxv7VivvO0KKfs= +k8s.io/kubelet v0.31.6 h1:lxVvyLNDcb/QTpQNkDySk3iscgq4zubeSZs3cF6PmaA= +k8s.io/kubelet v0.31.6/go.mod h1:BPghO52ilF7UzFEVBmYFOxdVtLge0P1gixjz84lBzzc= +k8s.io/kubernetes v1.31.6 h1:zVhgWDFHmIj51o5sNARmjdgNvpq4K2Smya8pS5vxqlc= +k8s.io/kubernetes v1.31.6/go.mod h1:9xmT2buyTYj8TRKwRae7FcuY8k5+xlxv7VivvO0KKfs= k8s.io/mount-utils v0.32.1 h1:RJOD6xXzEJT/OOJoG1KstfVa8ZXJJPlHb+t2MoulPHM= k8s.io/mount-utils v0.32.1/go.mod h1:Kun5c2svjAPx0nnvJKYQWhfeNW+O0EpzHgRhDcYoSY0= k8s.io/pod-security-admission v0.31.3 h1:8NzEV0HtdStX367AuSKfRMIZHn0hT4xuz8xNEf7/zO8= diff --git a/vendor/k8s.io/kubernetes/pkg/features/kube_features.go b/vendor/k8s.io/kubernetes/pkg/features/kube_features.go index 519d448dd..115644280 100644 --- a/vendor/k8s.io/kubernetes/pkg/features/kube_features.go +++ b/vendor/k8s.io/kubernetes/pkg/features/kube_features.go @@ -524,7 +524,8 @@ const ( // alpha: v1.27 // beta: v1.30 // - // Enables querying logs of node services using the /logs endpoint + // Enables querying logs of node services using the /logs endpoint. Enabling this feature has security implications. + // The recommendation is to enable it on a need basis for debugging purposes and disabling otherwise. NodeLogQuery featuregate.Feature = "NodeLogQuery" // owner: @xing-yang @sonasingh46 diff --git a/vendor/k8s.io/kubernetes/pkg/volume/util/device_util_linux.go b/vendor/k8s.io/kubernetes/pkg/volume/util/device_util_linux.go index 66ac77835..18cbec072 100644 --- a/vendor/k8s.io/kubernetes/pkg/volume/util/device_util_linux.go +++ b/vendor/k8s.io/kubernetes/pkg/volume/util/device_util_linux.go @@ -31,8 +31,13 @@ import ( "k8s.io/klog/v2" ) -// FindMultipathDeviceForDevice given a device name like /dev/sdx, find the devicemapper parent +// FindMultipathDeviceForDevice given a device name like /dev/sdx, find the devicemapper parent. If called with a device +// already resolved to devicemapper, do nothing. func (handler *deviceHandler) FindMultipathDeviceForDevice(device string) string { + if strings.HasPrefix(device, "/dev/dm-") { + return device + } + io := handler.getIo disk, err := findDeviceForPath(device, io) if err != nil { diff --git a/vendor/k8s.io/kubernetes/pkg/volume/util/recyclerclient/recycler_client.go b/vendor/k8s.io/kubernetes/pkg/volume/util/recyclerclient/recycler_client.go index b7197dbdf..e438ba21e 100644 --- a/vendor/k8s.io/kubernetes/pkg/volume/util/recyclerclient/recycler_client.go +++ b/vendor/k8s.io/kubernetes/pkg/volume/util/recyclerclient/recycler_client.go @@ -18,11 +18,12 @@ package recyclerclient import ( "context" + "errors" "fmt" "sync" "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/errors" + apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/fields" "k8s.io/apimachinery/pkg/watch" @@ -72,7 +73,7 @@ func internalRecycleVolumeByWatchingPodUntilCompletion(pvName string, pod *v1.Po // Start the pod _, err = recyclerClient.CreatePod(pod) if err != nil { - if errors.IsAlreadyExists(err) { + if apierrors.IsAlreadyExists(err) { deleteErr := recyclerClient.DeletePod(pod.Name, pod.Namespace) if deleteErr != nil { return fmt.Errorf("failed to delete old recycler pod %s/%s: %s", pod.Namespace, pod.Name, deleteErr) @@ -128,7 +129,7 @@ func waitForPod(pod *v1.Pod, recyclerClient recyclerClient, podCh <-chan watch.E } if pod.Status.Phase == v1.PodFailed { if pod.Status.Message != "" { - return fmt.Errorf(pod.Status.Message) + return errors.New(pod.Status.Message) } return fmt.Errorf("pod failed, pod.Status.Message unknown") } diff --git a/vendor/k8s.io/kubernetes/test/e2e/framework/debug/resource_usage_gatherer.go b/vendor/k8s.io/kubernetes/test/e2e/framework/debug/resource_usage_gatherer.go index 9c6537ed9..7e6875b49 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/framework/debug/resource_usage_gatherer.go +++ b/vendor/k8s.io/kubernetes/test/e2e/framework/debug/resource_usage_gatherer.go @@ -21,6 +21,7 @@ import ( "bytes" "context" "encoding/json" + "errors" "fmt" "math" "regexp" @@ -595,7 +596,7 @@ func (g *ContainerResourceGatherer) StopAndSummarize(percentiles []int, constrai } } if len(violatedConstraints) > 0 { - return &summary, fmt.Errorf(strings.Join(violatedConstraints, "\n")) + return &summary, errors.New(strings.Join(violatedConstraints, "\n")) } return &summary, nil } diff --git a/vendor/k8s.io/kubernetes/test/e2e/framework/flake_reporting_util.go b/vendor/k8s.io/kubernetes/test/e2e/framework/flake_reporting_util.go index 36d9baa98..103345fb6 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/framework/flake_reporting_util.go +++ b/vendor/k8s.io/kubernetes/test/e2e/framework/flake_reporting_util.go @@ -57,7 +57,7 @@ func (f *FlakeReport) RecordFlakeIfError(err error, optionalDescription ...inter if desc != "" { msg = fmt.Sprintf("%v (Description: %v)", msg, desc) } - Logf(msg) + Logf("%s", msg) f.lock.Lock() defer f.lock.Unlock() f.Flakes = append(f.Flakes, msg) diff --git a/vendor/k8s.io/kubernetes/test/e2e/framework/framework.go b/vendor/k8s.io/kubernetes/test/e2e/framework/framework.go index a71d46c7b..ff08e25b4 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/framework/framework.go +++ b/vendor/k8s.io/kubernetes/test/e2e/framework/framework.go @@ -311,7 +311,7 @@ func printSummaries(summaries []TestDataSummary, testBaseName string) { switch TestContext.OutputPrintType { case "hr": if TestContext.ReportDir == "" { - Logf(summaries[i].PrintHumanReadable()) + Logf("%s", summaries[i].PrintHumanReadable()) } else { // TODO: learn to extract test name and append it to the kind instead of timestamp. filePath := path.Join(TestContext.ReportDir, summaries[i].SummaryKind()+"_"+testBaseName+"_"+now.Format(time.RFC3339)+".txt") @@ -393,7 +393,7 @@ func (f *Framework) AfterEach(ctx context.Context) { for namespaceKey, namespaceErr := range nsDeletionErrors { messages = append(messages, fmt.Sprintf("Couldn't delete ns: %q: %s (%#v)", namespaceKey, namespaceErr, namespaceErr)) } - Failf(strings.Join(messages, ",")) + Fail(strings.Join(messages, ",")) } }() diff --git a/vendor/k8s.io/kubernetes/test/e2e/framework/node/resource.go b/vendor/k8s.io/kubernetes/test/e2e/framework/node/resource.go index a57473bab..a7750399c 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/framework/node/resource.go +++ b/vendor/k8s.io/kubernetes/test/e2e/framework/node/resource.go @@ -128,7 +128,7 @@ func isNodeConditionSetAsExpected(node *v1.Node, conditionType v1.NodeConditionT conditionType, node.Name, cond.Status == v1.ConditionTrue, taints) } if !silent { - framework.Logf(msg) + framework.Logf("%s", msg) } return false } @@ -822,6 +822,6 @@ func verifyThatTaintIsGone(ctx context.Context, c clientset.Interface, nodeName // TODO use wrapper methods in expect.go after removing core e2e dependency on node gomega.ExpectWithOffset(2, err).NotTo(gomega.HaveOccurred()) if taintExists(nodeUpdated.Spec.Taints, taint) { - framework.Failf("Failed removing taint " + taint.ToString() + " of the node " + nodeName) + framework.Fail("Failed removing taint " + taint.ToString() + " of the node " + nodeName) } } diff --git a/vendor/k8s.io/kubernetes/test/e2e/framework/skipper/skipper.go b/vendor/k8s.io/kubernetes/test/e2e/framework/skipper/skipper.go index 7d3b3d6b3..955ff2607 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/framework/skipper/skipper.go +++ b/vendor/k8s.io/kubernetes/test/e2e/framework/skipper/skipper.go @@ -46,10 +46,13 @@ func Skipf(format string, args ...interface{}) { panic("unreachable") } +// Skip is an alias for ginkgo.Skip. +var Skip = ginkgo.Skip + // SkipUnlessAtLeast skips if the value is less than the minValue. func SkipUnlessAtLeast(value int, minValue int, message string) { if value < minValue { - skipInternalf(1, message) + skipInternalf(1, "%s", message) } } diff --git a/vendor/k8s.io/kubernetes/test/utils/density_utils.go b/vendor/k8s.io/kubernetes/test/utils/density_utils.go index 23917ad9f..e0747c489 100644 --- a/vendor/k8s.io/kubernetes/test/utils/density_utils.go +++ b/vendor/k8s.io/kubernetes/test/utils/density_utils.go @@ -18,6 +18,7 @@ package utils import ( "context" + "errors" "fmt" "strings" "time" @@ -99,7 +100,7 @@ func VerifyLabelsRemoved(c clientset.Interface, nodeName string, labelKeys []str } for _, labelKey := range labelKeys { if node.Labels != nil && len(node.Labels[labelKey]) != 0 { - return fmt.Errorf("Failed removing label " + labelKey + " of the node " + nodeName) + return errors.New("Failed removing label " + labelKey + " of the node " + nodeName) } } return nil diff --git a/vendor/k8s.io/kubernetes/test/utils/deployment.go b/vendor/k8s.io/kubernetes/test/utils/deployment.go index a8876d799..eaa618a6c 100644 --- a/vendor/k8s.io/kubernetes/test/utils/deployment.go +++ b/vendor/k8s.io/kubernetes/test/utils/deployment.go @@ -18,6 +18,7 @@ package utils import ( "context" + "errors" "fmt" "time" @@ -226,7 +227,7 @@ func WaitForDeploymentRevisionAndImage(c clientset.Interface, ns, deploymentName }) if wait.Interrupted(err) { LogReplicaSetsOfDeployment(deployment, nil, newRS, logf) - err = fmt.Errorf(reason) + err = errors.New(reason) } if newRS == nil { return fmt.Errorf("deployment %q failed to create new replica set", deploymentName) diff --git a/vendor/k8s.io/kubernetes/test/utils/image/manifest.go b/vendor/k8s.io/kubernetes/test/utils/image/manifest.go index 22de8316e..bfed29232 100644 --- a/vendor/k8s.io/kubernetes/test/utils/image/manifest.go +++ b/vendor/k8s.io/kubernetes/test/utils/image/manifest.go @@ -229,7 +229,7 @@ func initImageConfigs(list RegistryList) (map[ImageID]Config, map[ImageID]Config configs[BusyBox] = Config{list.PromoterE2eRegistry, "busybox", "1.36.1-1"} configs[CudaVectorAdd] = Config{list.PromoterE2eRegistry, "cuda-vector-add", "1.0"} configs[CudaVectorAdd2] = Config{list.PromoterE2eRegistry, "cuda-vector-add", "2.3"} - configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.5.9"} + configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.5.13"} configs[Etcd] = Config{list.GcEtcdRegistry, "etcd", "3.5.15-0"} configs[Httpd] = Config{list.PromoterE2eRegistry, "httpd", "2.4.38-4"} configs[HttpdNew] = Config{list.PromoterE2eRegistry, "httpd", "2.4.39-4"} diff --git a/vendor/k8s.io/kubernetes/test/utils/runners.go b/vendor/k8s.io/kubernetes/test/utils/runners.go index eccc78ac4..35c002950 100644 --- a/vendor/k8s.io/kubernetes/test/utils/runners.go +++ b/vendor/k8s.io/kubernetes/test/utils/runners.go @@ -664,7 +664,7 @@ func (config *RCConfig) start(ctx context.Context) error { *config.CreatedPods = startupStatus.Created } if !config.Silent { - config.RCConfigLog(startupStatus.String(config.Name)) + config.RCConfigLog("%s", startupStatus.String(config.Name)) } if config.PodStatusFile != nil { @@ -688,8 +688,8 @@ func (config *RCConfig) start(ctx context.Context) error { if podDeletionsCount > config.MaxAllowedPodDeletions { // Number of pods which disappeared is over threshold err := fmt.Errorf("%d pods disappeared for %s: %v", podDeletionsCount, config.Name, strings.Join(deletedPods, ", ")) - config.RCConfigLog(err.Error()) - config.RCConfigLog(diff.String(sets.NewString())) + config.RCConfigLog("%s", err.Error()) + config.RCConfigLog("%s", diff.String(sets.NewString())) return err } diff --git a/vendor/modules.txt b/vendor/modules.txt index c1b24ff6d..5b2fb5465 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -801,7 +801,7 @@ gopkg.in/yaml.v2 # gopkg.in/yaml.v3 v3.0.1 ## explicit gopkg.in/yaml.v3 -# k8s.io/api v0.31.4 => k8s.io/api v0.31.3 +# k8s.io/api v0.31.6 => k8s.io/api v0.31.3 ## explicit; go 1.22.0 k8s.io/api/admission/v1 k8s.io/api/admission/v1beta1 @@ -866,7 +866,7 @@ k8s.io/api/storagemigration/v1alpha1 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 k8s.io/apiextensions-apiserver/pkg/features -# k8s.io/apimachinery v0.31.4 => k8s.io/apimachinery v0.31.3 +# k8s.io/apimachinery v0.31.6 => k8s.io/apimachinery v0.31.3 ## explicit; go 1.22.0 k8s.io/apimachinery/pkg/api/equality k8s.io/apimachinery/pkg/api/errors @@ -933,7 +933,7 @@ k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/netutil k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v0.31.3 => k8s.io/apiserver v0.31.3 +# k8s.io/apiserver v0.31.6 => k8s.io/apiserver v0.31.3 ## explicit; go 1.22.0 k8s.io/apiserver/pkg/admission k8s.io/apiserver/pkg/admission/configuration @@ -1084,7 +1084,7 @@ k8s.io/apiserver/plugin/pkg/audit/webhook k8s.io/apiserver/plugin/pkg/authenticator/token/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook/metrics -# k8s.io/client-go v0.31.4 => k8s.io/client-go v0.31.3 +# k8s.io/client-go v0.31.6 => k8s.io/client-go v0.31.3 ## explicit; go 1.22.0 k8s.io/client-go/applyconfigurations k8s.io/client-go/applyconfigurations/admissionregistration/v1 @@ -1442,7 +1442,7 @@ k8s.io/cloud-provider/names k8s.io/cloud-provider/node/helpers k8s.io/cloud-provider/options k8s.io/cloud-provider/service/helpers -# k8s.io/component-base v0.31.3 => k8s.io/component-base v0.31.3 +# k8s.io/component-base v0.31.6 => k8s.io/component-base v0.31.3 ## explicit; go 1.22.0 k8s.io/component-base/cli/flag k8s.io/component-base/config @@ -1525,11 +1525,11 @@ k8s.io/kube-openapi/pkg/validation/strfmt/bson ## explicit; go 1.22.0 k8s.io/kubectl/pkg/scale k8s.io/kubectl/pkg/util/podutils -# k8s.io/kubelet v0.31.3 => k8s.io/kubelet v0.31.3 +# k8s.io/kubelet v0.31.3 => k8s.io/kubelet v0.31.6 ## explicit; go 1.22.0 k8s.io/kubelet/pkg/apis k8s.io/kubelet/pkg/apis/stats/v1alpha1 -# k8s.io/kubernetes v1.31.3 => k8s.io/kubernetes v1.31.3 +# k8s.io/kubernetes v1.31.6 => k8s.io/kubernetes v1.31.6 ## explicit; go 1.22.0 k8s.io/kubernetes/pkg/api/legacyscheme k8s.io/kubernetes/pkg/api/service @@ -1816,8 +1816,8 @@ sigs.k8s.io/yaml/goyaml.v2 # k8s.io/kube-proxy => k8s.io/kube-proxy v0.31.3 # k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.31.3 # k8s.io/kubectl => k8s.io/kubectl v0.31.3 -# k8s.io/kubelet => k8s.io/kubelet v0.31.3 -# k8s.io/kubernetes => k8s.io/kubernetes v1.31.3 +# k8s.io/kubelet => k8s.io/kubelet v0.31.6 +# k8s.io/kubernetes => k8s.io/kubernetes v1.31.6 # k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.31.3 # k8s.io/metrics => k8s.io/metrics v0.31.3 # k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.31.3