Skip to content

Commit 619f1ff

Browse files
rollandfrollandf
committed
fix: update SRIOV-NO version to fix CVE
Fixes: CVE-2022-1706 Ignition config accessible to unprivileged software on VMware Signed-off-by: Fred Rolland <[email protected]>
1 parent ead14c9 commit 619f1ff

File tree

10 files changed

+328
-305
lines changed

10 files changed

+328
-305
lines changed

Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -151,7 +151,7 @@ $(KUSTOMIZE):
151151
# setup-envtest is used to install test Kubernetes control plane components for envtest-based tests.
152152
SETUP_ENVTEST_PKG := sigs.k8s.io/controller-runtime/tools/setup-envtest
153153
SETUP_ENVTEST_BIN := setup-envtest
154-
SETUP_ENVTEST_VER := release-0.20
154+
SETUP_ENVTEST_VER := release-0.22
155155
SETUP_ENVTEST := $(abspath $(TOOLSDIR)/$(SETUP_ENVTEST_BIN)-$(SETUP_ENVTEST_VER))
156156
$(SETUP_ENVTEST):
157157
$(call go-install-tool,$(SETUP_ENVTEST_PKG),$(SETUP_ENVTEST_BIN),$(SETUP_ENVTEST_VER))

config/crd/bases/mellanox.com_nicclusterpolicies.yaml

Lines changed: 80 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -534,8 +534,9 @@ spec:
534534
in a Container.
535535
properties:
536536
name:
537-
description: Name of the environment variable. Must be a
538-
C_IDENTIFIER.
537+
description: |-
538+
Name of the environment variable.
539+
May consist of any printable ASCII characters except '='.
539540
type: string
540541
value:
541542
description: |-
@@ -593,6 +594,43 @@ spec:
593594
- fieldPath
594595
type: object
595596
x-kubernetes-map-type: atomic
597+
fileKeyRef:
598+
description: |-
599+
FileKeyRef selects a key of the env file.
600+
Requires the EnvFiles feature gate to be enabled.
601+
properties:
602+
key:
603+
description: |-
604+
The key within the env file. An invalid key will prevent the pod from starting.
605+
The keys defined within a source may consist of any printable ASCII characters except '='.
606+
During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
607+
type: string
608+
optional:
609+
default: false
610+
description: |-
611+
Specify whether the file or its key must be defined. If the file or key
612+
does not exist, then the env var is not published.
613+
If optional is set to true and the specified key does not exist,
614+
the environment variable will not be set in the Pod's containers.
615+
616+
If optional is set to false and the specified key does not exist,
617+
an error will be returned during Pod creation.
618+
type: boolean
619+
path:
620+
description: |-
621+
The path within the volume from which to select the file.
622+
Must be relative and may not contain the '..' path or start with '..'.
623+
type: string
624+
volumeName:
625+
description: The name of the volume mount containing
626+
the env file.
627+
type: string
628+
required:
629+
- key
630+
- path
631+
- volumeName
632+
type: object
633+
x-kubernetes-map-type: atomic
596634
resourceFieldRef:
597635
description: |-
598636
Selects a resource of the container: only resources limits and requests
@@ -1166,8 +1204,9 @@ spec:
11661204
in a Container.
11671205
properties:
11681206
name:
1169-
description: Name of the environment variable. Must be a
1170-
C_IDENTIFIER.
1207+
description: |-
1208+
Name of the environment variable.
1209+
May consist of any printable ASCII characters except '='.
11711210
type: string
11721211
value:
11731212
description: |-
@@ -1225,6 +1264,43 @@ spec:
12251264
- fieldPath
12261265
type: object
12271266
x-kubernetes-map-type: atomic
1267+
fileKeyRef:
1268+
description: |-
1269+
FileKeyRef selects a key of the env file.
1270+
Requires the EnvFiles feature gate to be enabled.
1271+
properties:
1272+
key:
1273+
description: |-
1274+
The key within the env file. An invalid key will prevent the pod from starting.
1275+
The keys defined within a source may consist of any printable ASCII characters except '='.
1276+
During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
1277+
type: string
1278+
optional:
1279+
default: false
1280+
description: |-
1281+
Specify whether the file or its key must be defined. If the file or key
1282+
does not exist, then the env var is not published.
1283+
If optional is set to true and the specified key does not exist,
1284+
the environment variable will not be set in the Pod's containers.
1285+
1286+
If optional is set to false and the specified key does not exist,
1287+
an error will be returned during Pod creation.
1288+
type: boolean
1289+
path:
1290+
description: |-
1291+
The path within the volume from which to select the file.
1292+
Must be relative and may not contain the '..' path or start with '..'.
1293+
type: string
1294+
volumeName:
1295+
description: The name of the volume mount containing
1296+
the env file.
1297+
type: string
1298+
required:
1299+
- key
1300+
- path
1301+
- volumeName
1302+
type: object
1303+
x-kubernetes-map-type: atomic
12281304
resourceFieldRef:
12291305
description: |-
12301306
Selects a resource of the container: only resources limits and requests

controllers/drain_controller.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ import (
2525
sriovnetworkv1 "github.com/k8snetworkplumbingwg/sriov-network-operator/api/v1"
2626
constants "github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/consts"
2727
"github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/drain"
28-
"github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/platforms"
28+
"github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/orchestrator"
2929
"github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/utils"
3030
corev1 "k8s.io/api/core/v1"
3131
"k8s.io/apimachinery/pkg/api/errors"
@@ -65,9 +65,9 @@ type DrainReconcile struct {
6565

6666
// NewDrainReconcileController creates a new DrainReconcile controller
6767
func NewDrainReconcileController(client client.Client, k8sConfig *rest.Config, scheme *runtime.Scheme,
68-
recorder record.EventRecorder, platformHelper platforms.Interface, migrationCh chan struct{},
68+
recorder record.EventRecorder, orchestrator orchestrator.Interface, migrationCh chan struct{},
6969
log logr.Logger) (*DrainReconcile, error) {
70-
drainer, err := drainer.NewDrainRequestor(client, k8sConfig, log, platformHelper)
70+
drainer, err := drainer.NewDrainRequestor(client, k8sConfig, log, orchestrator)
7171
if err != nil {
7272
return nil, err
7373
}

controllers/suite_test.go

Lines changed: 8 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -26,8 +26,8 @@ import (
2626
maintenancev1alpha1 "github.com/Mellanox/maintenance-operator/api/v1alpha1"
2727
netattdefv1 "github.com/k8snetworkplumbingwg/network-attachment-definition-client/pkg/apis/k8s.cni.cncf.io/v1"
2828
sriovnetworkv1 "github.com/k8snetworkplumbingwg/sriov-network-operator/api/v1"
29-
mock_platforms "github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/platforms/mock"
30-
"github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/platforms/openshift"
29+
consts "github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/consts"
30+
mock_orchestrator "github.com/k8snetworkplumbingwg/sriov-network-operator/pkg/orchestrator/mock"
3131
. "github.com/onsi/ginkgo/v2"
3232
. "github.com/onsi/gomega"
3333
osconfigv1 "github.com/openshift/api/config/v1"
@@ -82,12 +82,11 @@ func setupDrainControllerWithManager(k8sManager manager.Manager,
8282
migrationCompletionChan chan struct{}) {
8383
t := GinkgoT()
8484
mockCtrl := gomock.NewController(t)
85-
platformHelper := mock_platforms.NewMockInterface(mockCtrl)
86-
platformHelper.EXPECT().GetFlavor().Return(openshift.OpenshiftFlavorDefault).AnyTimes()
87-
platformHelper.EXPECT().IsOpenshiftCluster().Return(false).AnyTimes()
88-
platformHelper.EXPECT().IsHypershift().Return(false).AnyTimes()
89-
platformHelper.EXPECT().OpenshiftBeforeDrainNode(gomock.Any(), gomock.Any()).Return(true, nil).AnyTimes()
90-
platformHelper.EXPECT().OpenshiftAfterCompleteDrainNode(gomock.Any(), gomock.Any()).Return(true, nil).AnyTimes()
85+
orchestrator := mock_orchestrator.NewMockInterface(mockCtrl)
86+
orchestrator.EXPECT().Flavor().Return(consts.ClusterFlavorDefault).AnyTimes()
87+
orchestrator.EXPECT().ClusterType().Return(consts.ClusterTypeKubernetes).AnyTimes()
88+
orchestrator.EXPECT().BeforeDrainNode(gomock.Any(), gomock.Any()).Return(true, nil).AnyTimes()
89+
orchestrator.EXPECT().AfterCompleteDrainNode(gomock.Any(), gomock.Any()).Return(true, nil).AnyTimes()
9190

9291
drainKClient, err := client.New(k8sConfig, client.Options{
9392
Scheme: scheme.Scheme,
@@ -105,7 +104,7 @@ func setupDrainControllerWithManager(k8sManager manager.Manager,
105104
k8sConfig,
106105
k8sManager.GetScheme(),
107106
k8sManager.GetEventRecorderFor("operator"),
108-
platformHelper,
107+
orchestrator,
109108
migrationCompletionChan,
110109
k8sManager.GetLogger().WithValues("Function", "Drain"))
111110
Expect(err).ToNot(HaveOccurred())

deployment/network-operator/crds/mellanox.com_nicclusterpolicies.yaml

Lines changed: 80 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -534,8 +534,9 @@ spec:
534534
in a Container.
535535
properties:
536536
name:
537-
description: Name of the environment variable. Must be a
538-
C_IDENTIFIER.
537+
description: |-
538+
Name of the environment variable.
539+
May consist of any printable ASCII characters except '='.
539540
type: string
540541
value:
541542
description: |-
@@ -593,6 +594,43 @@ spec:
593594
- fieldPath
594595
type: object
595596
x-kubernetes-map-type: atomic
597+
fileKeyRef:
598+
description: |-
599+
FileKeyRef selects a key of the env file.
600+
Requires the EnvFiles feature gate to be enabled.
601+
properties:
602+
key:
603+
description: |-
604+
The key within the env file. An invalid key will prevent the pod from starting.
605+
The keys defined within a source may consist of any printable ASCII characters except '='.
606+
During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
607+
type: string
608+
optional:
609+
default: false
610+
description: |-
611+
Specify whether the file or its key must be defined. If the file or key
612+
does not exist, then the env var is not published.
613+
If optional is set to true and the specified key does not exist,
614+
the environment variable will not be set in the Pod's containers.
615+
616+
If optional is set to false and the specified key does not exist,
617+
an error will be returned during Pod creation.
618+
type: boolean
619+
path:
620+
description: |-
621+
The path within the volume from which to select the file.
622+
Must be relative and may not contain the '..' path or start with '..'.
623+
type: string
624+
volumeName:
625+
description: The name of the volume mount containing
626+
the env file.
627+
type: string
628+
required:
629+
- key
630+
- path
631+
- volumeName
632+
type: object
633+
x-kubernetes-map-type: atomic
596634
resourceFieldRef:
597635
description: |-
598636
Selects a resource of the container: only resources limits and requests
@@ -1166,8 +1204,9 @@ spec:
11661204
in a Container.
11671205
properties:
11681206
name:
1169-
description: Name of the environment variable. Must be a
1170-
C_IDENTIFIER.
1207+
description: |-
1208+
Name of the environment variable.
1209+
May consist of any printable ASCII characters except '='.
11711210
type: string
11721211
value:
11731212
description: |-
@@ -1225,6 +1264,43 @@ spec:
12251264
- fieldPath
12261265
type: object
12271266
x-kubernetes-map-type: atomic
1267+
fileKeyRef:
1268+
description: |-
1269+
FileKeyRef selects a key of the env file.
1270+
Requires the EnvFiles feature gate to be enabled.
1271+
properties:
1272+
key:
1273+
description: |-
1274+
The key within the env file. An invalid key will prevent the pod from starting.
1275+
The keys defined within a source may consist of any printable ASCII characters except '='.
1276+
During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters.
1277+
type: string
1278+
optional:
1279+
default: false
1280+
description: |-
1281+
Specify whether the file or its key must be defined. If the file or key
1282+
does not exist, then the env var is not published.
1283+
If optional is set to true and the specified key does not exist,
1284+
the environment variable will not be set in the Pod's containers.
1285+
1286+
If optional is set to false and the specified key does not exist,
1287+
an error will be returned during Pod creation.
1288+
type: boolean
1289+
path:
1290+
description: |-
1291+
The path within the volume from which to select the file.
1292+
Must be relative and may not contain the '..' path or start with '..'.
1293+
type: string
1294+
volumeName:
1295+
description: The name of the volume mount containing
1296+
the env file.
1297+
type: string
1298+
required:
1299+
- key
1300+
- path
1301+
- volumeName
1302+
type: object
1303+
x-kubernetes-map-type: atomic
12281304
resourceFieldRef:
12291305
description: |-
12301306
Selects a resource of the container: only resources limits and requests

0 commit comments

Comments
 (0)