Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8]
Signed-off-by: Ashish Sharma <asha...@mvista.com> --- .../kubernetes/kubernetes/CVE-2024-3177.patch | 237 ++++++++++++++++++ .../kubernetes/kubernetes_git.bb | 1 + 2 files changed, 238 insertions(+) create mode 100644 recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch new file mode 100644 index 00000000..20b2ea8a --- /dev/null +++ b/recipes-containers/kubernetes/kubernetes/CVE-2024-3177.patch @@ -0,0 +1,237 @@ +From 3f0922513d235d8bdebe79f0d07da769c04211b8 Mon Sep 17 00:00:00 2001 +From: Rita Zhang <rita.z.zh...@gmail.com> +Date: Mon, 25 Mar 2024 10:33:41 -0700 +Subject: [PATCH] Add envFrom to serviceaccount admission plugin + +Signed-off-by: Rita Zhang <rita.z.zh...@gmail.com> + +Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/pull/124325/commits/3f0922513d235d8bdebe79f0d07da769c04211b8] +CVE: CVE-2024-3177 +Signed-off-by: Ashish Sharma <asha...@mvista.com> + + .../pkg/admission/serviceaccount/admission.go | 21 +++ + .../serviceaccount/admission_test.go | 122 ++++++++++++++++-- + 2 files changed, 132 insertions(+), 11 deletions(-) + +diff --git a/plugin/pkg/admission/serviceaccount/admission.go b/plugin/pkg/admission/serviceaccount/admission.go +index c844a051c24b..3f4338128e53 100644 +--- a/plugin/pkg/admission/serviceaccount/admission.go ++++ b/plugin/pkg/admission/serviceaccount/admission.go +@@ -337,6 +337,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po + } + } + } ++ for _, envFrom := range container.EnvFrom { ++ if envFrom.SecretRef != nil { ++ if !mountableSecrets.Has(envFrom.SecretRef.Name) { ++ return fmt.Errorf("init container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name) ++ } ++ } ++ } + } + + for _, container := range pod.Spec.Containers { +@@ -347,6 +354,13 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po + } + } + } ++ for _, envFrom := range container.EnvFrom { ++ if envFrom.SecretRef != nil { ++ if !mountableSecrets.Has(envFrom.SecretRef.Name) { ++ return fmt.Errorf("container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name) ++ } ++ } ++ } + } + + // limit pull secret references as well +@@ -388,6 +402,13 @@ func (s *Plugin) limitEphemeralContainerSecretReferences(pod *api.Pod, a admissi + } + } + } ++ for _, envFrom := range container.EnvFrom { ++ if envFrom.SecretRef != nil { ++ if !mountableSecrets.Has(envFrom.SecretRef.Name) { ++ return fmt.Errorf("ephemeral container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name) ++ } ++ } ++ } + } + return nil + } +diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go b/plugin/pkg/admission/serviceaccount/admission_test.go +index bf15f870d75a..4dba6cd8b13e 100644 +--- a/plugin/pkg/admission/serviceaccount/admission_test.go ++++ b/plugin/pkg/admission/serviceaccount/admission_test.go +@@ -521,6 +521,25 @@ func TestAllowsReferencedSecret(t *testing.T) { + t.Errorf("Unexpected error: %v", err) + } + ++ pod2 = &api.Pod{ ++ Spec: api.PodSpec{ ++ Containers: []api.Container{ ++ { ++ Name: "container-1", ++ EnvFrom: []api.EnvFromSource{ ++ { ++ SecretRef: &api.SecretEnvSource{ ++ LocalObjectReference: api.LocalObjectReference{ ++ Name: "foo"}}}}, ++ }, ++ }, ++ }, ++ } ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil) ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil { ++ t.Errorf("Unexpected error: %v", err) ++ } ++ + pod2 = &api.Pod{ + Spec: api.PodSpec{ + InitContainers: []api.Container{ +@@ -545,6 +564,25 @@ func TestAllowsReferencedSecret(t *testing.T) { + t.Errorf("Unexpected error: %v", err) + } + ++ pod2 = &api.Pod{ ++ Spec: api.PodSpec{ ++ InitContainers: []api.Container{ ++ { ++ Name: "container-1", ++ EnvFrom: []api.EnvFromSource{ ++ { ++ SecretRef: &api.SecretEnvSource{ ++ LocalObjectReference: api.LocalObjectReference{ ++ Name: "foo"}}}}, ++ }, ++ }, ++ }, ++ } ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil) ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil { ++ t.Errorf("Unexpected error: %v", err) ++ } ++ + pod2 = &api.Pod{ + Spec: api.PodSpec{ + ServiceAccountName: DefaultServiceAccountName, +@@ -572,6 +610,28 @@ func TestAllowsReferencedSecret(t *testing.T) { + if err := admit.Validate(context.TODO(), attrs, nil); err != nil { + t.Errorf("Unexpected error: %v", err) + } ++ ++ pod2 = &api.Pod{ ++ Spec: api.PodSpec{ ++ ServiceAccountName: DefaultServiceAccountName, ++ EphemeralContainers: []api.EphemeralContainer{ ++ { ++ EphemeralContainerCommon: api.EphemeralContainerCommon{ ++ Name: "container-2", ++ EnvFrom: []api.EnvFromSource{{ ++ SecretRef: &api.SecretEnvSource{ ++ LocalObjectReference: api.LocalObjectReference{ ++ Name: "foo"}}}}, ++ }, ++ }, ++ }, ++ }, ++ } ++ // validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers" ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil) ++ if err := admit.Validate(context.TODO(), attrs, nil); err != nil { ++ t.Errorf("Unexpected error: %v", err) ++ } + } + + func TestRejectsUnreferencedSecretVolumes(t *testing.T) { +@@ -628,25 +688,20 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) { + + pod2 = &api.Pod{ + Spec: api.PodSpec{ +- InitContainers: []api.Container{ ++ Containers: []api.Container{ + { + Name: "container-1", +- Env: []api.EnvVar{ ++ EnvFrom: []api.EnvFromSource{ + { +- Name: "env-1", +- ValueFrom: &api.EnvVarSource{ +- SecretKeyRef: &api.SecretKeySelector{ +- LocalObjectReference: api.LocalObjectReference{Name: "foo"}, +- }, +- }, +- }, +- }, ++ SecretRef: &api.SecretEnvSource{ ++ LocalObjectReference: api.LocalObjectReference{ ++ Name: "foo"}}}}, + }, + }, + }, + } + attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil) +- if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") { ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") { + t.Errorf("Unexpected error: %v", err) + } + +@@ -679,6 +734,30 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) { + t.Errorf("validate only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err) + } + ++ pod2 = &api.Pod{ ++ Spec: api.PodSpec{ ++ ServiceAccountName: DefaultServiceAccountName, ++ InitContainers: []api.Container{ ++ { ++ Name: "container-1", ++ EnvFrom: []api.EnvFromSource{ ++ { ++ SecretRef: &api.SecretEnvSource{ ++ LocalObjectReference: api.LocalObjectReference{ ++ Name: "foo"}}}}, ++ }, ++ }, ++ }, ++ } ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Update, &metav1.UpdateOptions{}, false, nil) ++ if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil { ++ t.Errorf("admit only enforces restrictions on secret mounts when operation==create. Unexpected error: %v", err) ++ } ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil) ++ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") { ++ t.Errorf("validate only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err) ++ } ++ + pod2 = &api.Pod{ + Spec: api.PodSpec{ + ServiceAccountName: DefaultServiceAccountName, +@@ -709,6 +788,27 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) { + if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") { + t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err) + } ++ ++ pod2 = &api.Pod{ ++ Spec: api.PodSpec{ ++ ServiceAccountName: DefaultServiceAccountName, ++ EphemeralContainers: []api.EphemeralContainer{ ++ { ++ EphemeralContainerCommon: api.EphemeralContainerCommon{ ++ Name: "container-2", ++ EnvFrom: []api.EnvFromSource{{ ++ SecretRef: &api.SecretEnvSource{ ++ LocalObjectReference: api.LocalObjectReference{ ++ Name: "foo"}}}}, ++ }, ++ }, ++ }, ++ }, ++ } ++ attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil) ++ if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") { ++ t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err) ++ } + } + + func TestAllowUnreferencedSecretVolumesForPermissiveSAs(t *testing.T) { diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb index b0c87c47..78d1cd2a 100644 --- a/recipes-containers/kubernetes/kubernetes_git.bb +++ b/recipes-containers/kubernetes/kubernetes_git.bb @@ -35,6 +35,7 @@ SRC_URI:append = " \ file://cni-containerd-net.conflist \ file://k8s-init \ file://99-kubernetes.conf \ + file://CVE-2024-3177.patch \ " DEPENDS += "rsync-native \ -- 2.35.7
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#8715): https://lists.yoctoproject.org/g/meta-virtualization/message/8715 Mute This Topic: https://lists.yoctoproject.org/mt/105882014/21656 Group Owner: meta-virtualization+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-