From 23bb71ee0be9543591e9d6a5d951b01a5eeb97a7 Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Thu, 28 Aug 2025 03:38:56 +0000 Subject: [PATCH] fix: CVE-2025-5187 --- go.mod | 90 +++++------ go.sum | 80 +++++----- vendor/k8s.io/api/resource/v1alpha3/types.go | 4 + vendor/k8s.io/api/resource/v1beta1/types.go | 4 + .../k8s.io/apiserver/pkg/cel/library/cidr.go | 3 +- .../apiserver/pkg/storage/etcd3/watcher.go | 71 +++++---- .../dynamic-resource-allocation/cel/cache.go | 4 +- .../cel/compile.go | 140 +++++++++++++++--- .../kubernetes/test/utils/image/manifest.go | 29 ++-- vendor/modules.txt | 104 ++++++------- 10 files changed, 327 insertions(+), 202 deletions(-) diff --git a/go.mod b/go.mod index ee6e13254..c29d5a9a7 100644 --- a/go.mod +++ b/go.mod @@ -31,14 +31,14 @@ require ( golang.org/x/sync v0.14.0 google.golang.org/grpc v1.67.1 google.golang.org/protobuf v1.36.5 - k8s.io/api v0.32.4 - k8s.io/apimachinery v0.32.4 - k8s.io/apiserver v0.32.4 - k8s.io/client-go v0.32.4 - k8s.io/component-base v0.32.4 + k8s.io/api v0.32.8 + k8s.io/apimachinery v0.32.8 + k8s.io/apiserver v0.32.8 + k8s.io/client-go v0.32.8 + k8s.io/component-base v0.32.8 k8s.io/klog/v2 v2.130.1 - k8s.io/kubernetes v1.32.6 - k8s.io/mount-utils v0.32.2 + k8s.io/kubernetes v1.32.8 + k8s.io/mount-utils v0.32.8 k8s.io/pod-security-admission v0.31.1 k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979 sigs.k8s.io/cloud-provider-azure v1.29.1-0.20250430201754-d0603ee5c5a7 @@ -176,18 +176,18 @@ require ( gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.0.0 // indirect - k8s.io/cloud-provider v0.32.4 // indirect - k8s.io/component-helpers v0.32.4 // indirect - k8s.io/controller-manager v0.32.4 // indirect - k8s.io/cri-api v0.32.2 // indirect + k8s.io/cloud-provider v0.32.8 // indirect + k8s.io/component-helpers v0.32.8 // indirect + k8s.io/controller-manager v0.32.8 // indirect + k8s.io/cri-api v0.32.8 // indirect k8s.io/cri-client v0.0.0 // indirect k8s.io/csi-translation-lib v0.0.0 // indirect k8s.io/dynamic-resource-allocation v0.0.0 // indirect - k8s.io/kms v0.32.4 // indirect + k8s.io/kms v0.32.8 // indirect k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect k8s.io/kube-scheduler v0.0.0 // indirect k8s.io/kubectl v0.31.1 // indirect - k8s.io/kubelet v0.32.4 // indirect + k8s.io/kubelet v0.32.8 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 // indirect sigs.k8s.io/cloud-provider-azure/pkg/azclient/cache v0.6.1 // indirect sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect @@ -196,36 +196,36 @@ require ( replace ( github.com/pmezard/go-difflib => github.com/pmezard/go-difflib v1.0.0 // indirect - k8s.io/api => k8s.io/api v0.32.2 - k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.32.2 - k8s.io/apimachinery => k8s.io/apimachinery v0.32.2 - k8s.io/apiserver => k8s.io/apiserver v0.32.2 - k8s.io/cli-runtime => k8s.io/cli-runtime v0.32.2 - k8s.io/client-go => k8s.io/client-go v0.32.2 - k8s.io/cloud-provider => k8s.io/cloud-provider v0.32.2 - k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.32.2 - k8s.io/code-generator => k8s.io/code-generator v0.32.2 - k8s.io/component-base => k8s.io/component-base v0.32.2 - k8s.io/component-helpers => k8s.io/component-helpers v0.32.2 - k8s.io/controller-manager => k8s.io/controller-manager v0.32.2 - k8s.io/cri-api => k8s.io/cri-api v0.32.2 - k8s.io/cri-client => k8s.io/cri-client v0.32.2 - k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.32.2 - k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.32.2 - k8s.io/endpointslice => k8s.io/endpointslice v0.32.2 - k8s.io/externaljwt => k8s.io/externaljwt v0.32.2 - k8s.io/kms => k8s.io/kms v0.32.2 - k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.32.2 - k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.32.2 - k8s.io/kube-proxy => k8s.io/kube-proxy v0.32.2 - k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.32.2 - k8s.io/kubectl => k8s.io/kubectl v0.32.2 - k8s.io/kubelet => k8s.io/kubelet v0.32.2 - k8s.io/kubernetes => k8s.io/kubernetes v1.32.6 - k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.32.2 - k8s.io/metrics => k8s.io/metrics v0.32.2 - k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.32.2 - k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.32.2 - k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.32.2 - k8s.io/sample-controller => k8s.io/sample-controller v0.32.2 + k8s.io/api => k8s.io/api v0.32.8 + k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.32.8 + k8s.io/apimachinery => k8s.io/apimachinery v0.32.8 + k8s.io/apiserver => k8s.io/apiserver v0.32.8 + k8s.io/cli-runtime => k8s.io/cli-runtime v0.32.8 + k8s.io/client-go => k8s.io/client-go v0.32.8 + k8s.io/cloud-provider => k8s.io/cloud-provider v0.32.8 + k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.32.8 + k8s.io/code-generator => k8s.io/code-generator v0.32.8 + k8s.io/component-base => k8s.io/component-base v0.32.8 + k8s.io/component-helpers => k8s.io/component-helpers v0.32.8 + k8s.io/controller-manager => k8s.io/controller-manager v0.32.8 + k8s.io/cri-api => k8s.io/cri-api v0.32.8 + k8s.io/cri-client => k8s.io/cri-client v0.32.8 + k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.32.8 + k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.32.8 + k8s.io/endpointslice => k8s.io/endpointslice v0.32.8 + k8s.io/externaljwt => k8s.io/externaljwt v0.32.8 + k8s.io/kms => k8s.io/kms v0.32.8 + k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.32.8 + k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.32.8 + k8s.io/kube-proxy => k8s.io/kube-proxy v0.32.8 + k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.32.8 + k8s.io/kubectl => k8s.io/kubectl v0.32.8 + k8s.io/kubelet => k8s.io/kubelet v0.32.8 + k8s.io/kubernetes => k8s.io/kubernetes v1.32.8 + k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.32.8 + k8s.io/metrics => k8s.io/metrics v0.32.8 + k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.32.8 + k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.32.8 + k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.32.8 + k8s.io/sample-controller => k8s.io/sample-controller v0.32.8 ) diff --git a/go.sum b/go.sum index 3b8e5efa1..8f9e31ee5 100644 --- a/go.sum +++ b/go.sum @@ -473,50 +473,50 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.32.2 h1:bZrMLEkgizC24G9eViHGOPbW+aRo9duEISRIJKfdJuw= -k8s.io/api v0.32.2/go.mod h1:hKlhk4x1sJyYnHENsrdCWw31FEmCijNGPJO5WzHiJ6Y= -k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscghPCvV4= -k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA= -k8s.io/apimachinery v0.32.2 h1:yoQBR9ZGkA6Rgmhbp/yuT9/g+4lxtsGYwW6dR6BDPLQ= -k8s.io/apimachinery v0.32.2/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= -k8s.io/apiserver v0.32.2 h1:WzyxAu4mvLkQxwD9hGa4ZfExo3yZZaYzoYvvVDlM6vw= -k8s.io/apiserver v0.32.2/go.mod h1:PEwREHiHNU2oFdte7BjzA1ZyjWjuckORLIK/wLV5goM= -k8s.io/client-go v0.32.2 h1:4dYCD4Nz+9RApM2b/3BtVvBHw54QjMFUl1OLcJG5yOA= -k8s.io/client-go v0.32.2/go.mod h1:fpZ4oJXclZ3r2nDOv+Ux3XcJutfrwjKTCHz2H3sww94= -k8s.io/cloud-provider v0.32.2 h1:8EC+fCYo0r0REczSjOZcVuQPCMxXxCKlgxDbYMrzC30= -k8s.io/cloud-provider v0.32.2/go.mod h1:2s8TeAXhVezp5VISaTxM6vW3yDonOZXoN4Aryz1p1PQ= -k8s.io/component-base v0.32.2 h1:1aUL5Vdmu7qNo4ZsE+569PV5zFatM9hl+lb3dEea2zU= -k8s.io/component-base v0.32.2/go.mod h1:PXJ61Vx9Lg+P5mS8TLd7bCIr+eMJRQTyXe8KvkrvJq0= -k8s.io/component-helpers v0.32.2 h1:2usSAm3zNE5yu5DdAdrKBWLfSYNpU4OPjZywJY5ovP8= -k8s.io/component-helpers v0.32.2/go.mod h1:fvQAoiiOP7jUEUBc9qR0PXiBPuB0I56WTxTkkpcI8g8= -k8s.io/controller-manager v0.32.2 h1:/9XuHWEqofO2Aqa4l7KJGckJUcLVRWfx+qnVkdXoStI= -k8s.io/controller-manager v0.32.2/go.mod h1:o5uo2tLCQhuoMt0RfKcQd0eqaNmSKOKiT+0YELCqXOk= -k8s.io/cri-api v0.32.2 h1:7DuaOHpOcXweZeBUbRdK0iCroxctGp73VwgrA0u7kho= -k8s.io/cri-api v0.32.2/go.mod h1:DCzMuTh2padoinefWME0G678Mc3QFbLMF2vEweGzBAI= -k8s.io/cri-client v0.32.2 h1:vjowJUyu14IbmifqCKJHE9rK/BPSfkXvltqN42W1Zuo= -k8s.io/cri-client v0.32.2/go.mod h1:fRZhmmZW16Qviln8hfy+e8dd2wP/n9B6TiGxLE3zBe0= -k8s.io/csi-translation-lib v0.32.2 h1:aLzAyaoJUc5rgtLi8Xd4No1tet6UpvUsGIgRoGnPSSE= -k8s.io/csi-translation-lib v0.32.2/go.mod h1:PlOKan6Vc0G6a+giQbm36plJ+E1LH+GPRLAVMQMSMcY= -k8s.io/dynamic-resource-allocation v0.32.2 h1:6wP8/GGvhhvTJLrzwPSoMJDnspmosFj1CKmfrAH6m5U= -k8s.io/dynamic-resource-allocation v0.32.2/go.mod h1:+3qnQfvikLHVZrdZ0/gYkRiV96weUR9j7+Ph3Ui/hYU= +k8s.io/api v0.32.8 h1:PhuKPnqsaXYuwmLXRLAmdDJ9EZ2R2kEbOZTq4UE3lGc= +k8s.io/api v0.32.8/go.mod h1:gdRZQ4zXGawr9YrJ5OjTl7aR3TD0mTowtFsqFtpCDXo= +k8s.io/apiextensions-apiserver v0.32.8 h1:iYIIaZmn/BMTwzGYRZnYZysaKB4t2TL3O+0yhmbXE2U= +k8s.io/apiextensions-apiserver v0.32.8/go.mod h1:GTGskWgcBo/7boX33zcS8JY6vaG4s728AdbQPxtheVk= +k8s.io/apimachinery v0.32.8 h1:95I+2jX71Tev+C+UlhNbmKfv+A/TQII42HLskiHZpBg= +k8s.io/apimachinery v0.32.8/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE= +k8s.io/apiserver v0.32.8 h1:QRXnrAxVsKMHW9BinWwhbD0oh78yE817UlLVTTYa3wY= +k8s.io/apiserver v0.32.8/go.mod h1:tqqhcCOS8MRUiNncD7DNsyRWXw04AUJSRISTX4D3FsQ= +k8s.io/client-go v0.32.8 h1:BkSFWUtRz/BbE3DJF98KPg7ix6lwMnIQ9DnHw3iWiSw= +k8s.io/client-go v0.32.8/go.mod h1:vGkCzRxZ7BuRX2zdW7+kOwCdcgOkq9omDWb26wk/sE0= +k8s.io/cloud-provider v0.32.8 h1:9OBBY3IvBDPYUaFXikmAoiuv8kg/A2Ffa3NRMAa+Ssk= +k8s.io/cloud-provider v0.32.8/go.mod h1:/SMmo4ZY4hU8CMypLd4ftRfpyY8vR33f3VF2UAo1Rk0= +k8s.io/component-base v0.32.8 h1:Ez5yxl4Apas9m0gUQfwD60GbMyhfHPbvaYzQkpBDE6k= +k8s.io/component-base v0.32.8/go.mod h1:zrTYhjPNFrItmyFEPiRIL9pgZa4jIgOUyOwrEL7xb10= +k8s.io/component-helpers v0.32.8 h1:Z5g8jnqE+RCndqbfG5hKsrPGTFAecAjn9NphUKIN+ko= +k8s.io/component-helpers v0.32.8/go.mod h1:vTx1Mk59REzJV28uHMxm/uXRAD/XSB5XJbjt2Ic37CA= +k8s.io/controller-manager v0.32.8 h1:+Hi8eIx1xu0qA55kreJ1b9jjrjAnBPC/wIHJWgRdl5o= +k8s.io/controller-manager v0.32.8/go.mod h1:VVliUUeC4M1DX1IFiOEHy2Ssi0GU9AnQpgcJlpO6u50= +k8s.io/cri-api v0.32.8 h1:06o5iDF1Y1qB1CppUxvVz+dg+0xinfDXYG7Te2pkMm0= +k8s.io/cri-api v0.32.8/go.mod h1:DCzMuTh2padoinefWME0G678Mc3QFbLMF2vEweGzBAI= +k8s.io/cri-client v0.32.8 h1:FP32+Hy1G7b2cFmwIZuu9n5Drm72dJxcdbx2+cO/vuE= +k8s.io/cri-client v0.32.8/go.mod h1:1rwOCsN9CgksxDZEYRxQDqx3zsaT/Gk5bh9k2qVwBBA= +k8s.io/csi-translation-lib v0.32.8 h1:ebElR+pEKMcYgrfd32vR2AP+K7T+C9UBpNoL4RG9GWw= +k8s.io/csi-translation-lib v0.32.8/go.mod h1:d9PtcJUR/Cbqwp5wK4VxsBBE8SkoHQ6GxMaXZxyswoE= +k8s.io/dynamic-resource-allocation v0.32.8 h1:SYm436xE2NoAgnPYeC0H2qjdRK+KGIb16m18tLow/ZA= +k8s.io/dynamic-resource-allocation v0.32.8/go.mod h1:rTYXQH8nATZUz4RnspREOfA9H5/usYU5D0gMAIG7kOg= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kms v0.32.2 h1:7Ff23ht7W40gTcDwUC8G5WjX5W/nxD8WxbNhIYYNZCI= -k8s.io/kms v0.32.2/go.mod h1:Bk2evz/Yvk0oVrvm4MvZbgq8BD34Ksxs2SRHn4/UiOM= +k8s.io/kms v0.32.8 h1:Yy3W8dA4VjnxGMZrXGlFpaKIHlkSVltS+UWydpvxPTc= +k8s.io/kms v0.32.8/go.mod h1:Bk2evz/Yvk0oVrvm4MvZbgq8BD34Ksxs2SRHn4/UiOM= k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y= k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4= -k8s.io/kube-scheduler v0.32.2 h1:vBm6iIjWaD10OPmtkt/503LTKvrN8dWVceeBcpKj/ns= -k8s.io/kube-scheduler v0.32.2/go.mod h1:dD5yuYpnsCfgZmzvncUNPdvXGJXA1hw3gXq7DH3+aCQ= -k8s.io/kubectl v0.32.2 h1:TAkag6+XfSBgkqK9I7ZvwtF0WVtUAvK8ZqTt+5zi1Us= -k8s.io/kubectl v0.32.2/go.mod h1:+h/NQFSPxiDZYX/WZaWw9fwYezGLISP0ud8nQKg+3g8= -k8s.io/kubelet v0.32.2 h1:WFTSYdt3BB1aTApDuKNI16x/4MYqqX8WBBBBh3KupDg= -k8s.io/kubelet v0.32.2/go.mod h1:cC1ms5RS+lu0ckVr6AviCQXHLSPKEBC3D5oaCBdTGkI= -k8s.io/kubernetes v1.32.6 h1:tp1gRjOqZjaoFBek5PN6eSmODdS1QRrH5UKiFP8ZByg= -k8s.io/kubernetes v1.32.6/go.mod h1:REY0Gok66BTTrbGyZaFMNKO9JhxvgBDW9B7aksWRFoY= -k8s.io/mount-utils v0.32.2 h1:aDwp+ucWiVnDr/LpRg88/dsXf/vm6gI1VZkYH3+3+Vw= -k8s.io/mount-utils v0.32.2/go.mod h1:Kun5c2svjAPx0nnvJKYQWhfeNW+O0EpzHgRhDcYoSY0= -k8s.io/pod-security-admission v0.32.2 h1:zDfAb/t0LbNU3z0ZMHtCb1zp8x05gWCGhmBYpUptm9A= -k8s.io/pod-security-admission v0.32.2/go.mod h1:yxMPB3i1pGMLfxbe4BiWMuowMD7cdHR32y4nCj4wH+s= +k8s.io/kube-scheduler v0.32.8 h1:umW+6cem48eeTz/6Fr1yG29hsiobKU025O+p3CqgRd0= +k8s.io/kube-scheduler v0.32.8/go.mod h1:pfg94rFOwXr447eChSZE+UhNHfuQbQ2U0EFfEpUWqwM= +k8s.io/kubectl v0.32.8 h1:X6I2Rmd+RZvtu+BRplREUTkIYgUc87s87m/kZsbKC7s= +k8s.io/kubectl v0.32.8/go.mod h1:RbwOkKZdxIFzhFIxXY3on/n6aaSXCc353iJ0IXb4DvU= +k8s.io/kubelet v0.32.8 h1:9N4DRmcNFBNnS62Nf8If7wiCtkaSrR7tTsXPe0DC0aI= +k8s.io/kubelet v0.32.8/go.mod h1:8cRHXzRmXftGJrvR3e32jGiqStzVrK6hPgoQqdjvEAE= +k8s.io/kubernetes v1.32.8 h1:NePHsWPIT9NQZ9w5QT/chJMuwjFFGGZxalvD6FlOjlw= +k8s.io/kubernetes v1.32.8/go.mod h1:REY0Gok66BTTrbGyZaFMNKO9JhxvgBDW9B7aksWRFoY= +k8s.io/mount-utils v0.32.8 h1:xe/0LiH2URGPM4dTyhvivRdUiUfyssPeUODRekw3Pxg= +k8s.io/mount-utils v0.32.8/go.mod h1:Kun5c2svjAPx0nnvJKYQWhfeNW+O0EpzHgRhDcYoSY0= +k8s.io/pod-security-admission v0.32.8 h1:nSyjXGZWq9CWr4ehXxNTIlC6I8P0f9aIqcz+9DCFw1Y= +k8s.io/pod-security-admission v0.32.8/go.mod h1:7K7eUD7UYYlJrdtyrdiDmZbyTWZVgw64gsVzc9IFL/g= k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979 h1:jgJW5IePPXLGB8e/1wvd0Ich9QE97RvvF3a8J3fP/Lg= k8s.io/utils v0.0.0-20250502105355-0f33e8f1c979/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.31.0 h1:CPT0ExVicCzcpeN4baWEV2ko2Z/AsiZgEdwgcfwLgMo= diff --git a/vendor/k8s.io/api/resource/v1alpha3/types.go b/vendor/k8s.io/api/resource/v1alpha3/types.go index fb4d7041d..49d7c86de 100644 --- a/vendor/k8s.io/api/resource/v1alpha3/types.go +++ b/vendor/k8s.io/api/resource/v1alpha3/types.go @@ -145,6 +145,10 @@ type ResourceSliceSpec struct { Devices []Device `json:"devices" protobuf:"bytes,6,name=devices"` } +// DriverNameMaxLength is the maximum valid length of a driver name in the +// ResourceSliceSpec and other places. It's the same as for CSI driver names. +const DriverNameMaxLength = 63 + // ResourcePool describes the pool that ResourceSlices belong to. type ResourcePool struct { // Name is used to identify the pool. For node-local devices, this diff --git a/vendor/k8s.io/api/resource/v1beta1/types.go b/vendor/k8s.io/api/resource/v1beta1/types.go index ca79c5a66..fbdc35ca8 100644 --- a/vendor/k8s.io/api/resource/v1beta1/types.go +++ b/vendor/k8s.io/api/resource/v1beta1/types.go @@ -144,6 +144,10 @@ type ResourceSliceSpec struct { Devices []Device `json:"devices" protobuf:"bytes,6,name=devices"` } +// DriverNameMaxLength is the maximum valid length of a driver name in the +// ResourceSliceSpec and other places. It's the same as for CSI driver names. +const DriverNameMaxLength = 63 + // ResourcePool describes the pool that ResourceSlices belong to. type ResourcePool struct { // Name is used to identify the pool. For node-local devices, this diff --git a/vendor/k8s.io/apiserver/pkg/cel/library/cidr.go b/vendor/k8s.io/apiserver/pkg/cel/library/cidr.go index 2992e99e6..8ab444cac 100644 --- a/vendor/k8s.io/apiserver/pkg/cel/library/cidr.go +++ b/vendor/k8s.io/apiserver/pkg/cel/library/cidr.go @@ -231,8 +231,7 @@ func cidrContainsCIDR(arg ref.Val, other ref.Val) ref.Val { return types.MaybeNoSuchOverloadErr(other) } - equalMasked := cidr.Prefix.Masked() == netip.PrefixFrom(containsCIDR.Prefix.Addr(), cidr.Prefix.Bits()) - return types.Bool(equalMasked && cidr.Prefix.Bits() <= containsCIDR.Prefix.Bits()) + return types.Bool(cidr.Overlaps(containsCIDR.Prefix) && cidr.Prefix.Bits() <= containsCIDR.Prefix.Bits()) } func prefixLength(arg ref.Val) ref.Val { diff --git a/vendor/k8s.io/apiserver/pkg/storage/etcd3/watcher.go b/vendor/k8s.io/apiserver/pkg/storage/etcd3/watcher.go index abb51b07f..e2141395b 100644 --- a/vendor/k8s.io/apiserver/pkg/storage/etcd3/watcher.go +++ b/vendor/k8s.io/apiserver/pkg/storage/etcd3/watcher.go @@ -438,7 +438,12 @@ func (wc *watchChan) serialProcessEvents(wg *sync.WaitGroup) { for { select { case e := <-wc.incomingEventChan: - res := wc.transform(e) + res, err := wc.transform(e) + if err != nil { + wc.sendError(err) + return + } + if res == nil { continue } @@ -461,10 +466,8 @@ func (wc *watchChan) serialProcessEvents(wg *sync.WaitGroup) { func (wc *watchChan) concurrentProcessEvents(wg *sync.WaitGroup) { p := concurrentOrderedEventProcessing{ - input: wc.incomingEventChan, - processFunc: wc.transform, - output: wc.resultChan, - processingQueue: make(chan chan *watch.Event, processEventConcurrency-1), + wc: wc, + processingQueue: make(chan chan *processingResult, processEventConcurrency-1), objectType: wc.watcher.objectType, groupResource: wc.watcher.groupResource, @@ -481,12 +484,15 @@ func (wc *watchChan) concurrentProcessEvents(wg *sync.WaitGroup) { }() } +type processingResult struct { + event *watch.Event + err error +} + type concurrentOrderedEventProcessing struct { - input chan *event - processFunc func(*event) *watch.Event - output chan watch.Event + wc *watchChan - processingQueue chan chan *watch.Event + processingQueue chan chan *processingResult // Metadata for logging objectType string groupResource schema.GroupResource @@ -498,28 +504,29 @@ func (p *concurrentOrderedEventProcessing) scheduleEventProcessing(ctx context.C select { case <-ctx.Done(): return - case e = <-p.input: + case e = <-p.wc.incomingEventChan: } - processingResponse := make(chan *watch.Event, 1) + processingResponse := make(chan *processingResult, 1) select { case <-ctx.Done(): return case p.processingQueue <- processingResponse: } wg.Add(1) - go func(e *event, response chan<- *watch.Event) { + go func(e *event, response chan<- *processingResult) { defer wg.Done() + responseEvent, err := p.wc.transform(e) select { case <-ctx.Done(): - case response <- p.processFunc(e): + case response <- &processingResult{event: responseEvent, err: err}: } }(e, processingResponse) } } func (p *concurrentOrderedEventProcessing) collectEventProcessing(ctx context.Context) { - var processingResponse chan *watch.Event - var e *watch.Event + var processingResponse chan *processingResult + var r *processingResult for { select { case <-ctx.Done(): @@ -529,21 +536,25 @@ func (p *concurrentOrderedEventProcessing) collectEventProcessing(ctx context.Co select { case <-ctx.Done(): return - case e = <-processingResponse: + case r = <-processingResponse: } - if e == nil { + if r.err != nil { + p.wc.sendError(r.err) + return + } + if r.event == nil { continue } - if len(p.output) == cap(p.output) { - klog.V(3).InfoS("Fast watcher, slow processing. Probably caused by slow dispatching events to watchers", "outgoingEvents", outgoingBufSize, "objectType", p.objectType, "groupResource", p.groupResource) + if len(p.wc.resultChan) == cap(p.wc.resultChan) { + klog.V(3).InfoS("Fast watcher, slow processing. Probably caused by slow dispatching events to watchers", "outgoingEvents", outgoingBufSize, "objectType", p.wc.watcher.objectType, "groupResource", p.wc.watcher.groupResource) } // If user couldn't receive results fast enough, we also block incoming events from watcher. // Because storing events in local will cause more memory usage. // The worst case would be closing the fast watcher. select { - case <-ctx.Done(): + case p.wc.resultChan <- *r.event: + case <-p.wc.ctx.Done(): return - case p.output <- *e: } } } @@ -561,12 +572,11 @@ func (wc *watchChan) acceptAll() bool { } // transform transforms an event into a result for user if not filtered. -func (wc *watchChan) transform(e *event) (res *watch.Event) { +func (wc *watchChan) transform(e *event) (res *watch.Event, err error) { curObj, oldObj, err := wc.prepareObjs(e) if err != nil { klog.Errorf("failed to prepare current and previous objects: %v", err) - wc.sendError(err) - return nil + return nil, err } switch { @@ -574,12 +584,11 @@ func (wc *watchChan) transform(e *event) (res *watch.Event) { object := wc.watcher.newFunc() if err := wc.watcher.versioner.UpdateObject(object, uint64(e.rev)); err != nil { klog.Errorf("failed to propagate object version: %v", err) - return nil + return nil, fmt.Errorf("failed to propagate object resource version: %w", err) } if e.isInitialEventsEndBookmark { if err := storage.AnnotateInitialEventsEndBookmark(object); err != nil { - wc.sendError(fmt.Errorf("error while accessing object's metadata gr: %v, type: %v, obj: %#v, err: %v", wc.watcher.groupResource, wc.watcher.objectType, object, err)) - return nil + return nil, fmt.Errorf("error while accessing object's metadata gr: %v, type: %v, obj: %#v, err: %w", wc.watcher.groupResource, wc.watcher.objectType, object, err) } } res = &watch.Event{ @@ -588,7 +597,7 @@ func (wc *watchChan) transform(e *event) (res *watch.Event) { } case e.isDeleted: if !wc.filter(oldObj) { - return nil + return nil, nil } res = &watch.Event{ Type: watch.Deleted, @@ -596,7 +605,7 @@ func (wc *watchChan) transform(e *event) (res *watch.Event) { } case e.isCreated: if !wc.filter(curObj) { - return nil + return nil, nil } res = &watch.Event{ Type: watch.Added, @@ -608,7 +617,7 @@ func (wc *watchChan) transform(e *event) (res *watch.Event) { Type: watch.Modified, Object: curObj, } - return res + return res, nil } curObjPasses := wc.filter(curObj) oldObjPasses := wc.filter(oldObj) @@ -630,7 +639,7 @@ func (wc *watchChan) transform(e *event) (res *watch.Event) { } } } - return res + return res, nil } func transformErrorToEvent(err error) *watch.Event { diff --git a/vendor/k8s.io/dynamic-resource-allocation/cel/cache.go b/vendor/k8s.io/dynamic-resource-allocation/cel/cache.go index 2868886c5..e807ba2b9 100644 --- a/vendor/k8s.io/dynamic-resource-allocation/cel/cache.go +++ b/vendor/k8s.io/dynamic-resource-allocation/cel/cache.go @@ -43,6 +43,8 @@ func NewCache(maxCacheEntries int) *Cache { // GetOrCompile checks whether the cache already has a compilation result // and returns that if available. Otherwise it compiles, stores successful // results and returns the new result. +// +// Cost estimation is disabled. func (c *Cache) GetOrCompile(expression string) CompilationResult { // Compiling a CEL expression is expensive enough that it is cheaper // to lock a mutex than doing it several times in parallel. @@ -55,7 +57,7 @@ func (c *Cache) GetOrCompile(expression string) CompilationResult { return *cached } - expr := GetCompiler().CompileCELExpression(expression, Options{}) + expr := GetCompiler().CompileCELExpression(expression, Options{DisableCostEstimation: true}) if expr.Error == nil { c.add(expression, &expr) } diff --git a/vendor/k8s.io/dynamic-resource-allocation/cel/compile.go b/vendor/k8s.io/dynamic-resource-allocation/cel/compile.go index 9ad4bed0f..d59f7d7d4 100644 --- a/vendor/k8s.io/dynamic-resource-allocation/cel/compile.go +++ b/vendor/k8s.io/dynamic-resource-allocation/cel/compile.go @@ -20,12 +20,14 @@ import ( "context" "errors" "fmt" + "math" "reflect" "strings" "sync" "github.com/blang/semver/v4" "github.com/google/cel-go/cel" + "github.com/google/cel-go/checker" "github.com/google/cel-go/common/types" "github.com/google/cel-go/common/types/ref" "github.com/google/cel-go/common/types/traits" @@ -50,6 +52,23 @@ const ( var ( lazyCompilerInit sync.Once lazyCompiler *compiler + + // A variant of AnyType = https://github.com/kubernetes/kubernetes/blob/ec2e0de35a298363872897e5904501b029817af3/staging/src/k8s.io/apiserver/pkg/cel/types.go#L550: + // unknown actual type (could be bool, int, string, etc.) but with a known maximum size. + attributeType = withMaxElements(apiservercel.AnyType, resourceapi.DeviceAttributeMaxValueLength) + + // Other strings also have a known maximum size. + domainType = withMaxElements(apiservercel.StringType, resourceapi.DeviceMaxDomainLength) + idType = withMaxElements(apiservercel.StringType, resourceapi.DeviceMaxIDLength) + driverType = withMaxElements(apiservercel.StringType, resourceapi.DriverNameMaxLength) + + // Each map is bound by the maximum number of different attributes. + innerAttributesMapType = apiservercel.NewMapType(idType, attributeType, resourceapi.ResourceSliceMaxAttributesAndCapacitiesPerDevice) + outerAttributesMapType = apiservercel.NewMapType(domainType, innerAttributesMapType, resourceapi.ResourceSliceMaxAttributesAndCapacitiesPerDevice) + + // Same for capacity. + innerCapacityMapType = apiservercel.NewMapType(idType, apiservercel.QuantityDeclType, resourceapi.ResourceSliceMaxAttributesAndCapacitiesPerDevice) + outerCapacityMapType = apiservercel.NewMapType(domainType, innerCapacityMapType, resourceapi.ResourceSliceMaxAttributesAndCapacitiesPerDevice) ) func GetCompiler() *compiler { @@ -85,11 +104,12 @@ type Device struct { } type compiler struct { - envset *environment.EnvSet -} - -func newCompiler() *compiler { - return &compiler{envset: mustBuildEnv()} + // deviceType is a definition for the type of the `device` variable. + // This is needed for the cost estimator. Both are currently version-independent. + // If that ever changes, some additional logic might be needed to make + // cost estimates version-dependent. + deviceType *apiservercel.DeclType + envset *environment.EnvSet } // Options contains several additional parameters @@ -101,6 +121,10 @@ type Options struct { // CostLimit allows overriding the default runtime cost limit [resourceapi.CELSelectorExpressionMaxCost]. CostLimit *uint64 + + // DisableCostEstimation can be set to skip estimating the worst-case CEL cost. + // If disabled or after an error, [CompilationResult.MaxCost] will be set to [math.Uint64]. + DisableCostEstimation bool } // CompileCELExpression returns a compiled CEL expression. It evaluates to bool. @@ -114,6 +138,7 @@ func (c compiler) CompileCELExpression(expression string, options Options) Compi Detail: errorString, }, Expression: expression, + MaxCost: math.MaxUint64, } } @@ -122,10 +147,6 @@ func (c compiler) CompileCELExpression(expression string, options Options) Compi return resultError(fmt.Sprintf("unexpected error loading CEL environment: %v", err), apiservercel.ErrorTypeInternal) } - // We don't have a SizeEstimator. The potential size of the input (= a - // device) is already declared in the definition of the environment. - estimator := &library.CostEstimator{} - ast, issues := env.Compile(expression) if issues != nil { return resultError("compilation failed: "+issues.String(), apiservercel.ErrorTypeInvalid) @@ -157,18 +178,28 @@ func (c compiler) CompileCELExpression(expression string, options Options) Compi OutputType: ast.OutputType(), Environment: env, emptyMapVal: env.CELTypeAdapter().NativeToValue(map[string]any{}), + MaxCost: math.MaxUint64, } - costEst, err := env.EstimateCost(ast, estimator) - if err != nil { - compilationResult.Error = &apiservercel.Error{Type: apiservercel.ErrorTypeInternal, Detail: "cost estimation failed: " + err.Error()} - return compilationResult + if !options.DisableCostEstimation { + // We don't have a SizeEstimator. The potential size of the input (= a + // device) is already declared in the definition of the environment. + estimator := c.newCostEstimator() + costEst, err := env.EstimateCost(ast, estimator) + if err != nil { + compilationResult.Error = &apiservercel.Error{Type: apiservercel.ErrorTypeInternal, Detail: "cost estimation failed: " + err.Error()} + return compilationResult + } + compilationResult.MaxCost = costEst.Max } - compilationResult.MaxCost = costEst.Max return compilationResult } +func (c *compiler) newCostEstimator() *library.CostEstimator { + return &library.CostEstimator{SizeEstimator: &sizeEstimator{compiler: c}} +} + // getAttributeValue returns the native representation of the one value that // should be stored in the attribute, otherwise an error. An error is // also returned when there is no supported value. @@ -241,7 +272,7 @@ func (c CompilationResult) DeviceMatches(ctx context.Context, input Device) (boo return resultBool, details, nil } -func mustBuildEnv() *environment.EnvSet { +func newCompiler() *compiler { envset := environment.MustBaseEnvSet(environment.DefaultCompatibilityVersion(), true /* strictCost */) field := func(name string, declType *apiservercel.DeclType, required bool) *apiservercel.DeclField { return apiservercel.NewDeclField(name, declType, required, nil, nil) @@ -253,10 +284,11 @@ func mustBuildEnv() *environment.EnvSet { } return result } + deviceType := apiservercel.NewObjectType("kubernetes.DRADevice", fields( - field(driverVar, apiservercel.StringType, true), - field(attributesVar, apiservercel.NewMapType(apiservercel.StringType, apiservercel.NewMapType(apiservercel.StringType, apiservercel.AnyType, resourceapi.ResourceSliceMaxAttributesAndCapacitiesPerDevice), resourceapi.ResourceSliceMaxAttributesAndCapacitiesPerDevice), true), - field(capacityVar, apiservercel.NewMapType(apiservercel.StringType, apiservercel.NewMapType(apiservercel.StringType, apiservercel.QuantityDeclType, resourceapi.ResourceSliceMaxAttributesAndCapacitiesPerDevice), resourceapi.ResourceSliceMaxAttributesAndCapacitiesPerDevice), true), + field(driverVar, driverType, true), + field(attributesVar, outerAttributesMapType, true), + field(capacityVar, outerCapacityMapType, true), )) versioned := []environment.VersionedOptions{ @@ -284,7 +316,13 @@ func mustBuildEnv() *environment.EnvSet { if err != nil { panic(fmt.Errorf("internal error building CEL environment: %w", err)) } - return envset + return &compiler{envset: envset, deviceType: deviceType} +} + +func withMaxElements(in *apiservercel.DeclType, maxElements uint64) *apiservercel.DeclType { + out := *in + out.MaxElements = int64(maxElements) + return &out } // parseQualifiedName splits into domain and identified, using the default domain @@ -322,3 +360,67 @@ func (m mapper) Find(key ref.Val) (ref.Val, bool) { return m.defaultValue, true } + +// sizeEstimator tells the cost estimator the maximum size of maps or strings accessible through the `device` variable. +// Without this, the maximum string size of e.g. `device.attributes["dra.example.com"].services` would be unknown. +// +// sizeEstimator is derived from the sizeEstimator in k8s.io/apiextensions-apiserver/pkg/apiserver/schema/cel. +type sizeEstimator struct { + compiler *compiler +} + +func (s *sizeEstimator) EstimateSize(element checker.AstNode) *checker.SizeEstimate { + path := element.Path() + if len(path) == 0 { + // Path() can return an empty list, early exit if it does since we can't + // provide size estimates when that happens + return nil + } + + // The estimator provides information about the environment's variable(s). + var currentNode *apiservercel.DeclType + switch path[0] { + case deviceVar: + currentNode = s.compiler.deviceType + default: + // Unknown root, shouldn't happen. + return nil + } + + // Cut off initial variable from path, it was checked above. + for _, name := range path[1:] { + switch name { + case "@items", "@values": + if currentNode.ElemType == nil { + return nil + } + currentNode = currentNode.ElemType + case "@keys": + if currentNode.KeyType == nil { + return nil + } + currentNode = currentNode.KeyType + default: + field, ok := currentNode.Fields[name] + if !ok { + // If this is an attribute map, then we know that all elements + // have the same maximum size as set in attributeType, regardless + // of their name. + if currentNode.ElemType == attributeType { + currentNode = attributeType + continue + } + return nil + } + if field.Type == nil { + return nil + } + currentNode = field.Type + } + } + return &checker.SizeEstimate{Min: 0, Max: uint64(currentNode.MaxElements)} +} + +func (s *sizeEstimator) EstimateCallCost(function, overloadID string, target *checker.AstNode, args []checker.AstNode) *checker.CallEstimate { + return nil +} diff --git a/vendor/k8s.io/kubernetes/test/utils/image/manifest.go b/vendor/k8s.io/kubernetes/test/utils/image/manifest.go index 135e121de..15ef54ffb 100644 --- a/vendor/k8s.io/kubernetes/test/utils/image/manifest.go +++ b/vendor/k8s.io/kubernetes/test/utils/image/manifest.go @@ -129,13 +129,17 @@ func readFromURL(url string, writer io.Writer) error { var ( initRegistry = RegistryList{ - GcAuthenticatedRegistry: "gcr.io/authenticated-image-pulling", - PromoterE2eRegistry: "registry.k8s.io/e2e-test-images", - BuildImageRegistry: "registry.k8s.io/build-image", - InvalidRegistry: "invalid.registry.k8s.io/invalid", - GcEtcdRegistry: "registry.k8s.io", - GcRegistry: "registry.k8s.io", - SigStorageRegistry: "registry.k8s.io/sig-storage", + // TODO: https://github.com/kubernetes/kubernetes/issues/130271 + // Eliminate GcAuthenticatedRegistry. + GcAuthenticatedRegistry: "gcr.io/authenticated-image-pulling", + PromoterE2eRegistry: "registry.k8s.io/e2e-test-images", + BuildImageRegistry: "registry.k8s.io/build-image", + InvalidRegistry: "invalid.registry.k8s.io/invalid", + GcEtcdRegistry: "registry.k8s.io", + GcRegistry: "registry.k8s.io", + SigStorageRegistry: "registry.k8s.io/sig-storage", + // TODO: https://github.com/kubernetes/kubernetes/issues/130271 + // Eliminate PrivateRegistry. PrivateRegistry: "gcr.io/k8s-authenticated-test", DockerLibraryRegistry: "docker.io/library", CloudProviderGcpRegistry: "registry.k8s.io/cloud-provider-gcp", @@ -152,15 +156,17 @@ const ( // Agnhost image Agnhost // AgnhostPrivate image + // TODO: https://github.com/kubernetes/kubernetes/issues/130271 + // Eliminate this. AgnhostPrivate // APIServer image APIServer // AppArmorLoader image AppArmorLoader // AuthenticatedAlpine image + // TODO: https://github.com/kubernetes/kubernetes/issues/130271 + // Eliminate this. AuthenticatedAlpine - // AuthenticatedWindowsNanoServer image - AuthenticatedWindowsNanoServer // BusyBox image BusyBox // DistrolessIptables Image @@ -219,11 +225,10 @@ func initImageConfigs(list RegistryList) (map[ImageID]Config, map[ImageID]Config configs[Agnhost] = Config{list.PromoterE2eRegistry, "agnhost", "2.53"} configs[AgnhostPrivate] = Config{list.PrivateRegistry, "agnhost", "2.6"} configs[AuthenticatedAlpine] = Config{list.GcAuthenticatedRegistry, "alpine", "3.7"} - configs[AuthenticatedWindowsNanoServer] = Config{list.GcAuthenticatedRegistry, "windows-nanoserver", "v1"} configs[APIServer] = Config{list.PromoterE2eRegistry, "sample-apiserver", "1.29.2"} configs[AppArmorLoader] = Config{list.PromoterE2eRegistry, "apparmor-loader", "1.4"} configs[BusyBox] = Config{list.PromoterE2eRegistry, "busybox", "1.36.1-1"} - configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.6.11"} + configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.6.12"} configs[Etcd] = Config{list.GcEtcdRegistry, "etcd", "3.5.16-0"} configs[Httpd] = Config{list.PromoterE2eRegistry, "httpd", "2.4.38-4"} configs[HttpdNew] = Config{list.PromoterE2eRegistry, "httpd", "2.4.39-4"} @@ -270,7 +275,7 @@ func GetMappedImageConfigs(originalImageConfigs map[ImageID]Config, repo string) for i, config := range originalImageConfigs { switch i { case InvalidRegistryImage, AuthenticatedAlpine, - AuthenticatedWindowsNanoServer, AgnhostPrivate: + AgnhostPrivate: // These images are special and can't be run out of the cloud - some because they // are authenticated, and others because they are not real images. Tests that depend // on these images can't be run without access to the public internet. diff --git a/vendor/modules.txt b/vendor/modules.txt index 94e680379..1bfba83b0 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -911,7 +911,7 @@ gopkg.in/natefinch/lumberjack.v2 # gopkg.in/yaml.v3 v3.0.1 ## explicit gopkg.in/yaml.v3 -# k8s.io/api v0.32.4 => k8s.io/api v0.32.2 +# k8s.io/api v0.32.8 => k8s.io/api v0.32.8 ## explicit; go 1.23.0 k8s.io/api/admission/v1 k8s.io/api/admission/v1beta1 @@ -972,12 +972,12 @@ k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 k8s.io/api/storagemigration/v1alpha1 -# k8s.io/apiextensions-apiserver v0.0.0 => k8s.io/apiextensions-apiserver v0.32.2 +# k8s.io/apiextensions-apiserver v0.0.0 => k8s.io/apiextensions-apiserver v0.32.8 ## explicit; go 1.23.0 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 k8s.io/apiextensions-apiserver/pkg/features -# k8s.io/apimachinery v0.32.4 => k8s.io/apimachinery v0.32.2 +# k8s.io/apimachinery v0.32.8 => k8s.io/apimachinery v0.32.8 ## explicit; go 1.23.0 k8s.io/apimachinery/pkg/api/equality k8s.io/apimachinery/pkg/api/errors @@ -1045,7 +1045,7 @@ k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/netutil k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v0.32.4 => k8s.io/apiserver v0.32.2 +# k8s.io/apiserver v0.32.8 => k8s.io/apiserver v0.32.8 ## explicit; go 1.23.0 k8s.io/apiserver/pkg/admission k8s.io/apiserver/pkg/admission/configuration @@ -1200,7 +1200,7 @@ k8s.io/apiserver/plugin/pkg/audit/webhook k8s.io/apiserver/plugin/pkg/authenticator/token/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook/metrics -# k8s.io/client-go v0.32.4 => k8s.io/client-go v0.32.2 +# k8s.io/client-go v0.32.8 => k8s.io/client-go v0.32.8 ## explicit; go 1.23.0 k8s.io/client-go/applyconfigurations k8s.io/client-go/applyconfigurations/admissionregistration/v1 @@ -1548,7 +1548,7 @@ k8s.io/client-go/util/keyutil k8s.io/client-go/util/retry k8s.io/client-go/util/watchlist k8s.io/client-go/util/workqueue -# k8s.io/cloud-provider v0.32.4 => k8s.io/cloud-provider v0.32.2 +# k8s.io/cloud-provider v0.32.8 => k8s.io/cloud-provider v0.32.8 ## explicit; go 1.23.0 k8s.io/cloud-provider k8s.io/cloud-provider/api @@ -1566,7 +1566,7 @@ k8s.io/cloud-provider/options k8s.io/cloud-provider/service/helpers k8s.io/cloud-provider/volume k8s.io/cloud-provider/volume/helpers -# k8s.io/component-base v0.32.4 => k8s.io/component-base v0.32.2 +# k8s.io/component-base v0.32.8 => k8s.io/component-base v0.32.8 ## explicit; go 1.23.0 k8s.io/component-base/cli/flag k8s.io/component-base/config @@ -1593,7 +1593,7 @@ k8s.io/component-base/tracing/api/v1 k8s.io/component-base/version k8s.io/component-base/zpages/features k8s.io/component-base/zpages/flagz -# k8s.io/component-helpers v0.32.4 => k8s.io/component-helpers v0.32.2 +# k8s.io/component-helpers v0.32.8 => k8s.io/component-helpers v0.32.8 ## explicit; go 1.23.0 k8s.io/component-helpers/node/topology k8s.io/component-helpers/node/util @@ -1603,7 +1603,7 @@ k8s.io/component-helpers/scheduling/corev1 k8s.io/component-helpers/scheduling/corev1/nodeaffinity k8s.io/component-helpers/storage/ephemeral k8s.io/component-helpers/storage/volume -# k8s.io/controller-manager v0.32.4 => k8s.io/controller-manager v0.32.2 +# k8s.io/controller-manager v0.32.8 => k8s.io/controller-manager v0.32.8 ## explicit; go 1.23.0 k8s.io/controller-manager/config k8s.io/controller-manager/config/v1 @@ -1615,21 +1615,21 @@ k8s.io/controller-manager/pkg/features k8s.io/controller-manager/pkg/features/register k8s.io/controller-manager/pkg/leadermigration/config k8s.io/controller-manager/pkg/leadermigration/options -# k8s.io/cri-api v0.32.2 => k8s.io/cri-api v0.32.2 +# k8s.io/cri-api v0.32.8 => k8s.io/cri-api v0.32.8 ## explicit; go 1.23.0 k8s.io/cri-api/pkg/apis k8s.io/cri-api/pkg/apis/runtime/v1 -# k8s.io/cri-client v0.0.0 => k8s.io/cri-client v0.32.2 +# k8s.io/cri-client v0.0.0 => k8s.io/cri-client v0.32.8 ## explicit; go 1.23.0 k8s.io/cri-client/pkg k8s.io/cri-client/pkg/internal k8s.io/cri-client/pkg/logs k8s.io/cri-client/pkg/util -# k8s.io/csi-translation-lib v0.0.0 => k8s.io/csi-translation-lib v0.32.2 +# k8s.io/csi-translation-lib v0.0.0 => k8s.io/csi-translation-lib v0.32.8 ## explicit; go 1.23.0 k8s.io/csi-translation-lib k8s.io/csi-translation-lib/plugins -# k8s.io/dynamic-resource-allocation v0.0.0 => k8s.io/dynamic-resource-allocation v0.32.2 +# k8s.io/dynamic-resource-allocation v0.0.0 => k8s.io/dynamic-resource-allocation v0.32.8 ## explicit; go 1.23.0 k8s.io/dynamic-resource-allocation/api k8s.io/dynamic-resource-allocation/cel @@ -1646,7 +1646,7 @@ k8s.io/klog/v2/internal/severity k8s.io/klog/v2/internal/sloghandler k8s.io/klog/v2/internal/verbosity k8s.io/klog/v2/textlogger -# k8s.io/kms v0.32.4 => k8s.io/kms v0.32.2 +# k8s.io/kms v0.32.8 => k8s.io/kms v0.32.8 ## explicit; go 1.23.0 k8s.io/kms/apis/v1beta1 k8s.io/kms/apis/v2 @@ -1673,15 +1673,15 @@ k8s.io/kube-openapi/pkg/validation/errors k8s.io/kube-openapi/pkg/validation/spec k8s.io/kube-openapi/pkg/validation/strfmt k8s.io/kube-openapi/pkg/validation/strfmt/bson -# k8s.io/kube-scheduler v0.0.0 => k8s.io/kube-scheduler v0.32.2 +# k8s.io/kube-scheduler v0.0.0 => k8s.io/kube-scheduler v0.32.8 ## explicit; go 1.23.0 k8s.io/kube-scheduler/config/v1 k8s.io/kube-scheduler/extender/v1 -# k8s.io/kubectl v0.31.1 => k8s.io/kubectl v0.32.2 +# k8s.io/kubectl v0.31.1 => k8s.io/kubectl v0.32.8 ## explicit; go 1.23.0 k8s.io/kubectl/pkg/scale k8s.io/kubectl/pkg/util/podutils -# k8s.io/kubelet v0.32.4 => k8s.io/kubelet v0.32.2 +# k8s.io/kubelet v0.32.8 => k8s.io/kubelet v0.32.8 ## explicit; go 1.23.0 k8s.io/kubelet/pkg/apis k8s.io/kubelet/pkg/apis/deviceplugin/v1beta1 @@ -1691,7 +1691,7 @@ k8s.io/kubelet/pkg/apis/pluginregistration/v1 k8s.io/kubelet/pkg/apis/podresources/v1 k8s.io/kubelet/pkg/apis/podresources/v1alpha1 k8s.io/kubelet/pkg/apis/stats/v1alpha1 -# k8s.io/kubernetes v1.32.6 => k8s.io/kubernetes v1.32.6 +# k8s.io/kubernetes v1.32.8 => k8s.io/kubernetes v1.32.8 ## explicit; go 1.23.0 k8s.io/kubernetes/pkg/api/legacyscheme k8s.io/kubernetes/pkg/api/service @@ -1852,10 +1852,10 @@ k8s.io/kubernetes/test/utils/kubeconfig k8s.io/kubernetes/third_party/forked/golang/expansion k8s.io/kubernetes/third_party/forked/libcontainer/apparmor k8s.io/kubernetes/third_party/forked/libcontainer/utils -# k8s.io/mount-utils v0.32.2 +# k8s.io/mount-utils v0.32.8 ## explicit; go 1.23.0 k8s.io/mount-utils -# k8s.io/pod-security-admission v0.31.1 => k8s.io/pod-security-admission v0.32.2 +# k8s.io/pod-security-admission v0.31.1 => k8s.io/pod-security-admission v0.32.8 ## explicit; go 1.23.0 k8s.io/pod-security-admission/api k8s.io/pod-security-admission/policy @@ -2027,35 +2027,35 @@ sigs.k8s.io/structured-merge-diff/v4/value sigs.k8s.io/yaml sigs.k8s.io/yaml/goyaml.v2 # github.com/pmezard/go-difflib => github.com/pmezard/go-difflib v1.0.0 -# k8s.io/api => k8s.io/api v0.32.2 -# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.32.2 -# k8s.io/apimachinery => k8s.io/apimachinery v0.32.2 -# k8s.io/apiserver => k8s.io/apiserver v0.32.2 -# k8s.io/cli-runtime => k8s.io/cli-runtime v0.32.2 -# k8s.io/client-go => k8s.io/client-go v0.32.2 -# k8s.io/cloud-provider => k8s.io/cloud-provider v0.32.2 -# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.32.2 -# k8s.io/code-generator => k8s.io/code-generator v0.32.2 -# k8s.io/component-base => k8s.io/component-base v0.32.2 -# k8s.io/component-helpers => k8s.io/component-helpers v0.32.2 -# k8s.io/controller-manager => k8s.io/controller-manager v0.32.2 -# k8s.io/cri-api => k8s.io/cri-api v0.32.2 -# k8s.io/cri-client => k8s.io/cri-client v0.32.2 -# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.32.2 -# k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.32.2 -# k8s.io/endpointslice => k8s.io/endpointslice v0.32.2 -# k8s.io/externaljwt => k8s.io/externaljwt v0.32.2 -# k8s.io/kms => k8s.io/kms v0.32.2 -# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.32.2 -# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.32.2 -# k8s.io/kube-proxy => k8s.io/kube-proxy v0.32.2 -# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.32.2 -# k8s.io/kubectl => k8s.io/kubectl v0.32.2 -# k8s.io/kubelet => k8s.io/kubelet v0.32.2 -# k8s.io/kubernetes => k8s.io/kubernetes v1.32.6 -# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.32.2 -# k8s.io/metrics => k8s.io/metrics v0.32.2 -# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.32.2 -# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.32.2 -# k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.32.2 -# k8s.io/sample-controller => k8s.io/sample-controller v0.32.2 +# k8s.io/api => k8s.io/api v0.32.8 +# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.32.8 +# k8s.io/apimachinery => k8s.io/apimachinery v0.32.8 +# k8s.io/apiserver => k8s.io/apiserver v0.32.8 +# k8s.io/cli-runtime => k8s.io/cli-runtime v0.32.8 +# k8s.io/client-go => k8s.io/client-go v0.32.8 +# k8s.io/cloud-provider => k8s.io/cloud-provider v0.32.8 +# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.32.8 +# k8s.io/code-generator => k8s.io/code-generator v0.32.8 +# k8s.io/component-base => k8s.io/component-base v0.32.8 +# k8s.io/component-helpers => k8s.io/component-helpers v0.32.8 +# k8s.io/controller-manager => k8s.io/controller-manager v0.32.8 +# k8s.io/cri-api => k8s.io/cri-api v0.32.8 +# k8s.io/cri-client => k8s.io/cri-client v0.32.8 +# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.32.8 +# k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.32.8 +# k8s.io/endpointslice => k8s.io/endpointslice v0.32.8 +# k8s.io/externaljwt => k8s.io/externaljwt v0.32.8 +# k8s.io/kms => k8s.io/kms v0.32.8 +# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.32.8 +# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.32.8 +# k8s.io/kube-proxy => k8s.io/kube-proxy v0.32.8 +# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.32.8 +# k8s.io/kubectl => k8s.io/kubectl v0.32.8 +# k8s.io/kubelet => k8s.io/kubelet v0.32.8 +# k8s.io/kubernetes => k8s.io/kubernetes v1.32.8 +# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.32.8 +# k8s.io/metrics => k8s.io/metrics v0.32.8 +# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.32.8 +# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.32.8 +# k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.32.8 +# k8s.io/sample-controller => k8s.io/sample-controller v0.32.8