From 219d24113cd38182061306d3c21da61e8bd90f37 Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Sat, 28 Jun 2025 05:28:24 +0000 Subject: [PATCH] fix: CVE-2025-4563 --- go.mod | 4 ++-- go.sum | 4 ++-- .../pkg/apis/core/validation/validation.go | 7 +++++++ .../kubernetes/pkg/features/kube_features.go | 6 ++++++ .../pkg/features/versioned_kube_features.go | 4 ++++ .../kubernetes/pkg/kubelet/config/common.go | 6 ++++++ .../kubernetes/pkg/util/kernel/constants.go | 4 ---- .../kubernetes/pkg/volume/util/resize_util.go | 21 +++++++++++++++++++ .../kubernetes/test/utils/image/manifest.go | 2 +- vendor/modules.txt | 4 ++-- 10 files changed, 51 insertions(+), 11 deletions(-) diff --git a/go.mod b/go.mod index 1612cca13..c7b58a778 100644 --- a/go.mod +++ b/go.mod @@ -37,7 +37,7 @@ require ( k8s.io/client-go v0.32.4 k8s.io/component-base v0.32.4 k8s.io/klog/v2 v2.130.1 - k8s.io/kubernetes v1.32.2 + k8s.io/kubernetes v1.32.6 k8s.io/mount-utils v0.32.2 k8s.io/pod-security-admission v0.31.1 k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979 @@ -221,7 +221,7 @@ replace ( k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.32.2 k8s.io/kubectl => k8s.io/kubectl v0.32.2 k8s.io/kubelet => k8s.io/kubelet v0.32.2 - k8s.io/kubernetes => k8s.io/kubernetes v1.32.2 + k8s.io/kubernetes => k8s.io/kubernetes v1.32.6 k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.32.2 k8s.io/metrics => k8s.io/metrics v0.32.2 k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.32.2 diff --git a/go.sum b/go.sum index 2d49b706e..15c55a2ea 100644 --- a/go.sum +++ b/go.sum @@ -511,8 +511,8 @@ k8s.io/kubectl v0.32.2 h1:TAkag6+XfSBgkqK9I7ZvwtF0WVtUAvK8ZqTt+5zi1Us= k8s.io/kubectl v0.32.2/go.mod h1:+h/NQFSPxiDZYX/WZaWw9fwYezGLISP0ud8nQKg+3g8= k8s.io/kubelet v0.32.2 h1:WFTSYdt3BB1aTApDuKNI16x/4MYqqX8WBBBBh3KupDg= k8s.io/kubelet v0.32.2/go.mod h1:cC1ms5RS+lu0ckVr6AviCQXHLSPKEBC3D5oaCBdTGkI= -k8s.io/kubernetes v1.32.2 h1:mShetlA102UpjRVSGzB+5vjJwy8oPy8FMWrkTH5f37o= -k8s.io/kubernetes v1.32.2/go.mod h1:tiIKO63GcdPRBHW2WiUFm3C0eoLczl3f7qi56Dm1W8I= +k8s.io/kubernetes v1.32.6 h1:tp1gRjOqZjaoFBek5PN6eSmODdS1QRrH5UKiFP8ZByg= +k8s.io/kubernetes v1.32.6/go.mod h1:REY0Gok66BTTrbGyZaFMNKO9JhxvgBDW9B7aksWRFoY= k8s.io/mount-utils v0.32.2 h1:aDwp+ucWiVnDr/LpRg88/dsXf/vm6gI1VZkYH3+3+Vw= k8s.io/mount-utils v0.32.2/go.mod h1:Kun5c2svjAPx0nnvJKYQWhfeNW+O0EpzHgRhDcYoSY0= k8s.io/pod-security-admission v0.32.2 h1:zDfAb/t0LbNU3z0ZMHtCb1zp8x05gWCGhmBYpUptm9A= diff --git a/vendor/k8s.io/kubernetes/pkg/apis/core/validation/validation.go b/vendor/k8s.io/kubernetes/pkg/apis/core/validation/validation.go index 694896ee7..797783912 100644 --- a/vendor/k8s.io/kubernetes/pkg/apis/core/validation/validation.go +++ b/vendor/k8s.io/kubernetes/pkg/apis/core/validation/validation.go @@ -3031,6 +3031,13 @@ func gatherPodResourceClaimNames(claims []core.PodResourceClaim) sets.Set[string } func validatePodResourceClaim(podMeta *metav1.ObjectMeta, claim core.PodResourceClaim, podClaimNames *sets.Set[string], fldPath *field.Path) field.ErrorList { + // static pods don't support resource claims + if podMeta != nil { + if _, ok := podMeta.Annotations[core.MirrorPodAnnotationKey]; ok { + return field.ErrorList{field.Forbidden(field.NewPath(""), "static pods do not support resource claims")} + } + } + var allErrs field.ErrorList if claim.Name == "" { allErrs = append(allErrs, field.Required(fldPath.Child("name"), "")) diff --git a/vendor/k8s.io/kubernetes/pkg/features/kube_features.go b/vendor/k8s.io/kubernetes/pkg/features/kube_features.go index d3260f58e..262f396b8 100644 --- a/vendor/k8s.io/kubernetes/pkg/features/kube_features.go +++ b/vendor/k8s.io/kubernetes/pkg/features/kube_features.go @@ -456,6 +456,12 @@ const ( // Permits kubelet to run with swap enabled. NodeSwap featuregate.Feature = "NodeSwap" + // owner: @cici37 + // kep: https://kep.k8s.io/5080 + // + // Enables ordered namespace deletion. + OrderedNamespaceDeletion featuregate.Feature = "OrderedNamespaceDeletion" + // owner: @mortent, @atiratree, @ravig // kep: http://kep.k8s.io/3018 // diff --git a/vendor/k8s.io/kubernetes/pkg/features/versioned_kube_features.go b/vendor/k8s.io/kubernetes/pkg/features/versioned_kube_features.go index 06bde9394..30406ae3e 100644 --- a/vendor/k8s.io/kubernetes/pkg/features/versioned_kube_features.go +++ b/vendor/k8s.io/kubernetes/pkg/features/versioned_kube_features.go @@ -556,6 +556,10 @@ var defaultVersionedKubernetesFeatureGates = map[featuregate.Feature]featuregate {Version: version.MustParse("1.30"), Default: true, PreRelease: featuregate.Beta}, }, + OrderedNamespaceDeletion: { + {Version: version.MustParse("1.30"), Default: false, PreRelease: featuregate.Beta}, + }, + PDBUnhealthyPodEvictionPolicy: { {Version: version.MustParse("1.26"), Default: false, PreRelease: featuregate.Alpha}, {Version: version.MustParse("1.27"), Default: true, PreRelease: featuregate.Beta}, diff --git a/vendor/k8s.io/kubernetes/pkg/kubelet/config/common.go b/vendor/k8s.io/kubernetes/pkg/kubelet/config/common.go index 69d671262..a73d6372a 100644 --- a/vendor/k8s.io/kubernetes/pkg/kubelet/config/common.go +++ b/vendor/k8s.io/kubernetes/pkg/kubelet/config/common.go @@ -106,6 +106,9 @@ type defaultFunc func(pod *api.Pod) error // A static pod tried to use a ClusterTrustBundle projected volume source. var ErrStaticPodTriedToUseClusterTrustBundle = errors.New("static pods may not use ClusterTrustBundle projected volume sources") +// A static pod tried to use a resource claim. +var ErrStaticPodTriedToUseResourceClaims = errors.New("static pods may not use ResourceClaims") + // tryDecodeSinglePod takes data and tries to extract valid Pod config information from it. func tryDecodeSinglePod(data []byte, defaultFn defaultFunc) (parsed bool, pod *v1.Pod, err error) { // JSON is valid YAML, so this should work for everything. @@ -152,6 +155,9 @@ func tryDecodeSinglePod(data []byte, defaultFn defaultFunc) (parsed bool, pod *v } } } + if len(v1Pod.Spec.ResourceClaims) > 0 { + return true, nil, ErrStaticPodTriedToUseResourceClaims + } return true, v1Pod, nil } diff --git a/vendor/k8s.io/kubernetes/pkg/util/kernel/constants.go b/vendor/k8s.io/kubernetes/pkg/util/kernel/constants.go index ea46d46cb..1467f6c22 100644 --- a/vendor/k8s.io/kubernetes/pkg/util/kernel/constants.go +++ b/vendor/k8s.io/kubernetes/pkg/util/kernel/constants.go @@ -44,10 +44,6 @@ const TCPFinTimeoutNamespacedKernelVersion = "4.6" // (ref: https://github.com/torvalds/linux/commit/35dfb013149f74c2be1ff9c78f14e6a3cd1539d1) const IPVSConnReuseModeFixedKernelVersion = "5.9" -// UserNamespacesSupportKernelVersion is the kernel version where idmap for tmpfs support was added -// (ref: https://github.com/torvalds/linux/commit/05e6295f7b5e05f09e369a3eb2882ec5b40fff20) -const UserNamespacesSupportKernelVersion = "6.3" - const TmpfsNoswapSupportKernelVersion = "6.4" // NFTablesKubeProxyKernelVersion is the lowest kernel version kube-proxy supports using diff --git a/vendor/k8s.io/kubernetes/pkg/volume/util/resize_util.go b/vendor/k8s.io/kubernetes/pkg/volume/util/resize_util.go index 2bf54b4b8..599f22097 100644 --- a/vendor/k8s.io/kubernetes/pkg/volume/util/resize_util.go +++ b/vendor/k8s.io/kubernetes/pkg/volume/util/resize_util.go @@ -236,6 +236,27 @@ func MarkFSResizeFinished( return updatedPVC, err } +func MarkNodeExpansionFinishedWithRecovery( + pvc *v1.PersistentVolumeClaim, + newSize resource.Quantity, + kubeClient clientset.Interface) (*v1.PersistentVolumeClaim, error) { + newPVC := pvc.DeepCopy() + + newPVC.Status.Capacity[v1.ResourceStorage] = newSize + + allocatedResourceStatusMap := newPVC.Status.AllocatedResourceStatuses + delete(allocatedResourceStatusMap, v1.ResourceStorage) + if len(allocatedResourceStatusMap) == 0 { + newPVC.Status.AllocatedResourceStatuses = nil + } else { + newPVC.Status.AllocatedResourceStatuses = allocatedResourceStatusMap + } + + newPVC = MergeResizeConditionOnPVC(newPVC, []v1.PersistentVolumeClaimCondition{}, false /* keepOldResizeConditions */) + updatedPVC, err := PatchPVCStatus(pvc /*oldPVC*/, newPVC, kubeClient) + return updatedPVC, err +} + // MarkNodeExpansionInfeasible marks a PVC for node expansion as failed. Kubelet should not retry expansion // of volumes which are in failed state. func MarkNodeExpansionInfeasible(pvc *v1.PersistentVolumeClaim, kubeClient clientset.Interface, err error) (*v1.PersistentVolumeClaim, error) { diff --git a/vendor/k8s.io/kubernetes/test/utils/image/manifest.go b/vendor/k8s.io/kubernetes/test/utils/image/manifest.go index 02876dd94..135e121de 100644 --- a/vendor/k8s.io/kubernetes/test/utils/image/manifest.go +++ b/vendor/k8s.io/kubernetes/test/utils/image/manifest.go @@ -223,7 +223,7 @@ func initImageConfigs(list RegistryList) (map[ImageID]Config, map[ImageID]Config configs[APIServer] = Config{list.PromoterE2eRegistry, "sample-apiserver", "1.29.2"} configs[AppArmorLoader] = Config{list.PromoterE2eRegistry, "apparmor-loader", "1.4"} configs[BusyBox] = Config{list.PromoterE2eRegistry, "busybox", "1.36.1-1"} - configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.6.8"} + configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.6.11"} configs[Etcd] = Config{list.GcEtcdRegistry, "etcd", "3.5.16-0"} configs[Httpd] = Config{list.PromoterE2eRegistry, "httpd", "2.4.38-4"} configs[HttpdNew] = Config{list.PromoterE2eRegistry, "httpd", "2.4.39-4"} diff --git a/vendor/modules.txt b/vendor/modules.txt index b73e0e0ff..ad036983a 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1691,7 +1691,7 @@ k8s.io/kubelet/pkg/apis/pluginregistration/v1 k8s.io/kubelet/pkg/apis/podresources/v1 k8s.io/kubelet/pkg/apis/podresources/v1alpha1 k8s.io/kubelet/pkg/apis/stats/v1alpha1 -# k8s.io/kubernetes v1.32.2 => k8s.io/kubernetes v1.32.2 +# k8s.io/kubernetes v1.32.6 => k8s.io/kubernetes v1.32.6 ## explicit; go 1.23.0 k8s.io/kubernetes/pkg/api/legacyscheme k8s.io/kubernetes/pkg/api/service @@ -2052,7 +2052,7 @@ sigs.k8s.io/yaml/goyaml.v2 # k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.32.2 # k8s.io/kubectl => k8s.io/kubectl v0.32.2 # k8s.io/kubelet => k8s.io/kubelet v0.32.2 -# k8s.io/kubernetes => k8s.io/kubernetes v1.32.2 +# k8s.io/kubernetes => k8s.io/kubernetes v1.32.6 # k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.32.2 # k8s.io/metrics => k8s.io/metrics v0.32.2 # k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.32.2