[Low] Patch kubernetes for CVE-2025-4563 (#14147)

Author: durgajagadeesh

SPECS/kubernetes/CVE-2025-4563.patch

@@ -0,0 +1,199 @@
+From 3f3e38728b8cff51c68fcae662488edb59184a9e Mon Sep 17 00:00:00 2001
+From: dj_palli <[email protected]>
+Date: Mon, 30 Jun 2025 11:15:01 +0000
+Subject: [PATCH] Address CVE-2025-4563
+
+Upstream patch reference: https://github.com/kubernetes/kubernetes/pull/131876/commits/1fde2b884c7110c5e253db7143b24bfd91202c4d
+
+---
+ pkg/apis/core/validation/validation.go        |  7 +++
+ pkg/apis/core/validation/validation_test.go   | 11 +++-
+ pkg/kubelet/config/common.go                  |  6 ++
+ pkg/kubelet/config/common_test.go             | 56 +++++++++++++++++++
+ .../admission/noderestriction/admission.go    |  4 ++
+ .../noderestriction/admission_test.go         |  9 +++
+ 6 files changed, 92 insertions(+), 1 deletion(-)
+
+diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go
+index ecccf969..98da9166 100644
+--- a/pkg/apis/core/validation/validation.go
++++ b/pkg/apis/core/validation/validation.go
+@@ -3011,6 +3011,13 @@ func gatherPodResourceClaimNames(claims []core.PodResourceClaim) sets.Set[string
+ }
+ 
+ func validatePodResourceClaim(podMeta *metav1.ObjectMeta, claim core.PodResourceClaim, podClaimNames *sets.Set[string], fldPath *field.Path) field.ErrorList {
++	// static pods don't support resource claims
++	if podMeta != nil {
++		if _, ok := podMeta.Annotations[core.MirrorPodAnnotationKey]; ok {
++			return field.ErrorList{field.Forbidden(field.NewPath(""), "static pods do not support resource claims")}
++		}
++	}
++
+ 	var allErrs field.ErrorList
+ 	if claim.Name == "" {
+ 		allErrs = append(allErrs, field.Required(fldPath.Child("name"), ""))
+diff --git a/pkg/apis/core/validation/validation_test.go b/pkg/apis/core/validation/validation_test.go
+index 6b837f21..ba1210fa 100644
+--- a/pkg/apis/core/validation/validation_test.go
++++ b/pkg/apis/core/validation/validation_test.go
+@@ -26016,6 +26016,8 @@ func TestValidateDynamicResourceAllocation(t *testing.T) {
+ 	}
+ 
+ 	failureCases := map[string]core.PodSpec{
++		"static pod with resource claim reference": goodClaimReference,
++		"static pod with resource claim template":  goodClaimTemplate,
+ 		"pod claim name with prefix": {
+ 			Containers:    []core.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
+ 			RestartPolicy: core.RestartPolicyAlways,
+@@ -26144,7 +26146,14 @@ func TestValidateDynamicResourceAllocation(t *testing.T) {
+ 		}(),
+ 	}
+ 	for k, v := range failureCases {
+-		if errs := ValidatePodSpec(&v, nil, field.NewPath("field"), PodValidationOptions{}); len(errs) == 0 {
++		podMeta := shortPodName
++		if strings.HasPrefix(k, "static pod") {
++			podMeta = podMeta.DeepCopy()
++			podMeta.Annotations = map[string]string{
++				core.MirrorPodAnnotationKey: "True",
++			}
++		}
++		if errs := ValidatePodSpec(&v.Spec, podMeta, field.NewPath("field"), PodValidationOptions{}); len(errs) == 0 {
+ 			t.Errorf("expected failure for %q", k)
+ 		}
+ 	}
+diff --git a/pkg/kubelet/config/common.go b/pkg/kubelet/config/common.go
+index 69d67126..a73d6372 100644
+--- a/pkg/kubelet/config/common.go
++++ b/pkg/kubelet/config/common.go
+@@ -106,6 +106,9 @@ type defaultFunc func(pod *api.Pod) error
+ // A static pod tried to use a ClusterTrustBundle projected volume source.
+ var ErrStaticPodTriedToUseClusterTrustBundle = errors.New("static pods may not use ClusterTrustBundle projected volume sources")
+ 
++// A static pod tried to use a resource claim.
++var ErrStaticPodTriedToUseResourceClaims = errors.New("static pods may not use ResourceClaims")
++
+ // tryDecodeSinglePod takes data and tries to extract valid Pod config information from it.
+ func tryDecodeSinglePod(data []byte, defaultFn defaultFunc) (parsed bool, pod *v1.Pod, err error) {
+ 	// JSON is valid YAML, so this should work for everything.
+@@ -152,6 +155,9 @@ func tryDecodeSinglePod(data []byte, defaultFn defaultFunc) (parsed bool, pod *v
+ 			}
+ 		}
+ 	}
++	if len(v1Pod.Spec.ResourceClaims) > 0 {
++		return true, nil, ErrStaticPodTriedToUseResourceClaims
++	}
+ 
+ 	return true, v1Pod, nil
+ }
+diff --git a/pkg/kubelet/config/common_test.go b/pkg/kubelet/config/common_test.go
+index f390b6f9..ae4f4473 100644
+--- a/pkg/kubelet/config/common_test.go
++++ b/pkg/kubelet/config/common_test.go
+@@ -179,6 +179,62 @@ func TestDecodeSinglePodRejectsClusterTrustBundleVolumes(t *testing.T) {
+ 	}
+ }
+ 
++func TestDecodeSinglePodRejectsResourceClaims(t *testing.T) {
++	grace := int64(30)
++	enableServiceLinks := v1.DefaultEnableServiceLinks
++	pod := &v1.Pod{
++		TypeMeta: metav1.TypeMeta{
++			APIVersion: "",
++		},
++		ObjectMeta: metav1.ObjectMeta{
++			Name:      "test",
++			UID:       "12345",
++			Namespace: "mynamespace",
++		},
++		Spec: v1.PodSpec{
++			RestartPolicy:                 v1.RestartPolicyAlways,
++			DNSPolicy:                     v1.DNSClusterFirst,
++			TerminationGracePeriodSeconds: &grace,
++			Containers: []v1.Container{{
++				Name:                     "image",
++				Image:                    "test/image",
++				ImagePullPolicy:          "IfNotPresent",
++				TerminationMessagePath:   "/dev/termination-log",
++				TerminationMessagePolicy: v1.TerminationMessageReadFile,
++				SecurityContext:          securitycontext.ValidSecurityContextWithContainerDefaults(),
++				Resources: v1.ResourceRequirements{
++					Claims: []v1.ResourceClaim{{
++						Name: "my-claim",
++					}},
++				},
++			}},
++			ResourceClaims: []v1.PodResourceClaim{{
++				Name:              "my-claim",
++				ResourceClaimName: ptr.To("some-external-claim"),
++			}},
++			SecurityContext:    &v1.PodSecurityContext{},
++			SchedulerName:      v1.DefaultSchedulerName,
++			EnableServiceLinks: &enableServiceLinks,
++		},
++		Status: v1.PodStatus{
++			PodIP: "1.2.3.4",
++			PodIPs: []v1.PodIP{
++				{
++					IP: "1.2.3.4",
++				},
++			},
++		},
++	}
++	json, err := runtime.Encode(clientscheme.Codecs.LegacyCodec(v1.SchemeGroupVersion), pod)
++	if err != nil {
++		t.Errorf("unexpected error: %v", err)
++	}
++	_, _, err = tryDecodeSinglePod(json, noDefault)
++	if !errors.Is(err, ErrStaticPodTriedToUseResourceClaims) {
++		t.Errorf("Got error %q, want %q", err, ErrStaticPodTriedToUseResourceClaims)
++	}
++}
++
+ func TestDecodePodList(t *testing.T) {
+ 	grace := int64(30)
+ 	enableServiceLinks := v1.DefaultEnableServiceLinks
+diff --git a/plugin/pkg/admission/noderestriction/admission.go b/plugin/pkg/admission/noderestriction/admission.go
+index 9388ac52..c58dbc34 100644
+--- a/plugin/pkg/admission/noderestriction/admission.go
++++ b/plugin/pkg/admission/noderestriction/admission.go
+@@ -283,6 +283,10 @@ func (p *Plugin) admitPodCreate(nodeName string, a admission.Attributes) error {
+ 		}
+ 	}
+ 
++	if len(pod.Spec.ResourceClaims) > 0 {
++		return admission.NewForbidden(a, fmt.Errorf("node %q can not create pods that reference resourceclaims", nodeName))
++	}
++
+ 	return nil
+ }
+ 
+diff --git a/plugin/pkg/admission/noderestriction/admission_test.go b/plugin/pkg/admission/noderestriction/admission_test.go
+index 17bb2f50..10a8d99b 100644
+--- a/plugin/pkg/admission/noderestriction/admission_test.go
++++ b/plugin/pkg/admission/noderestriction/admission_test.go
+@@ -401,6 +401,9 @@ func Test_nodePlugin_Admit(t *testing.T) {
+ 	pvcpod, _ := makeTestPod("ns", "mypvcpod", "mynode", true)
+ 	pvcpod.Spec.Volumes = []api.Volume{{VolumeSource: api.VolumeSource{PersistentVolumeClaim: &api.PersistentVolumeClaimVolumeSource{ClaimName: "foo"}}}}
+ 
++	claimpod, _ := makeTestPod("ns", "myclaimpod", "mynode", true)
++	claimpod.Spec.ResourceClaims = []api.PodResourceClaim{{Name: "myclaim", ResourceClaimName: pointer.String("myexternalclaim")}}
++
+ 	tests := []admitTestCase{
+ 		// Mirror pods bound to us
+ 		{
+@@ -882,6 +885,12 @@ func Test_nodePlugin_Admit(t *testing.T) {
+ 			attributes: admission.NewAttributesRecord(pvcpod, nil, podKind, pvcpod.Namespace, pvcpod.Name, podResource, "", admission.Create, &metav1.CreateOptions{}, false, mynode),
+ 			err:        "reference persistentvolumeclaims",
+ 		},
++		{
++			name:       "forbid create of pod referencing resourceclaim",
++			podsGetter: noExistingPods,
++			attributes: admission.NewAttributesRecord(claimpod, nil, podKind, claimpod.Namespace, claimpod.Name, podResource, "", admission.Create, &metav1.CreateOptions{}, false, mynode),
++			err:        "reference resourceclaim",
++		},
+ 
+ 		// My node object
+ 		{
+-- 
+2.45.2
+

SPECS/kubernetes/kubernetes.spec

@@ -10,7 +10,7 @@
 Summary:        Microsoft Kubernetes
 Name:           kubernetes
 Version:        1.30.10
-Release:        8%{?dist}
+Release:        9%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -26,6 +26,7 @@ Patch4:         CVE-2025-22869.patch
 Patch5:         CVE-2024-51744.patch
 Patch6:         CVE-2025-30204.patch
 Patch7:         CVE-2025-22872.patch
+Patch8:         CVE-2025-4563.patch
 BuildRequires:  flex-devel
 BuildRequires:  glibc-static >= 2.38-11%{?dist}
 BuildRequires:  golang
@@ -277,6 +278,9 @@ fi
 %{_exec_prefix}/local/bin/pause
 
 %changelog
+* Mon Jun 30 2025 Durga Jagadeesh Palli <[email protected]> - 1.30.10-9
+- Patch CVE-2025-4563
+
 * Thu May 22 2025 Kanishk Bansal <[email protected]> - 1.30.10-8
 - Bump to rebuild with updated glibc