Skip to content

Istio security issue fix #1730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 16, 2025
Merged

Istio security issue fix #1730

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
The diff you're trying to view is too large. We only load the first 3000 changed files.
2 changes: 1 addition & 1 deletion .github/workflows/go.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
name: Golangci-lint
strategy:
matrix:
platform: [ ubuntu-20.04 ]
platform: [ ubuntu-24.04 ]
runs-on: ${{ matrix.platform }}
steps:
- name: Set up Go 1.23.8
Expand Down
2 changes: 1 addition & 1 deletion ako-gateway-api/k8s/gateway_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ var ctrlonce sync.Once
type GatewayController struct {
worker_id uint32
informers *utils.Informers
workqueue []workqueue.RateLimitingInterface
workqueue []workqueue.RateLimitingInterface //nolint:staticcheck
DisableSync bool
}

Expand Down
3 changes: 3 additions & 0 deletions ako-operator/controllers/akoconfig_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/

//nolint:unparam
package controllers

import (
Expand Down Expand Up @@ -237,12 +238,14 @@ func (r *AKOConfigReconciler) CleanupArtifacts(ctx context.Context, log logr.Log
} else {
objList[getSAName()] = &sa
}

var psp policyv1beta1.PodSecurityPolicy
if err := r.Get(ctx, getPSPName(), &psp); err != nil {
log.V(0).Info("error getting podsecuritypolicy", "error", err)
} else {
objList[getPSPName()] = &psp
}

var gwClass gatewayv1beta1.GatewayClass
if err := r.Get(ctx, getGWClassName(), &gwClass); err != nil {
log.V(0).Info("error getting gatewayclass", "error", err)
Expand Down
10 changes: 6 additions & 4 deletions ako-operator/controllers/psp.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,22 +14,24 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

//nolint:unparam
package controllers

import (
"context"
"reflect"

"github.com/go-logr/logr"
logr "github.com/go-logr/logr"
akov1alpha1 "github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/ako-operator/api/v1alpha1"
policyv1beta1 "k8s.io/api/policy/v1beta1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"

akov1alpha1 "github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/ako-operator/api/v1alpha1"
)

func createOrUpdatePodSecurityPolicy(ctx context.Context, ako akov1alpha1.AKOConfig, log logr.Logger, r *AKOConfigReconciler) error {
var oldPSP policyv1beta1.PodSecurityPolicy

var oldPSP policyv1beta1.PodSecurityPolicy //nolint:errcheck

if err := r.Get(ctx, getPSPName(), &oldPSP); err != nil {
log.V(0).Info("no pre-existing podsecuritypolicy with name", "name", PSPName)
Expand Down
85 changes: 85 additions & 0 deletions ako-operator/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
module github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/ako-operator

go 1.23.8

toolchain go1.24.1

require (
github.com/go-logr/logr v1.4.2
github.com/onsi/gomega v1.35.1
github.com/vmware/load-balancer-and-ingress-services-for-kubernetes v0.1.0
k8s.io/api v0.32.1
k8s.io/apiextensions-apiserver v0.28.3
k8s.io/apimachinery v0.32.1
k8s.io/client-go v0.32.1
sigs.k8s.io/controller-runtime v0.16.3
sigs.k8s.io/gateway-api v1.0.0
)

require (
github.com/beorn7/perks v1.0.1 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/evanphx/json-patch/v5 v5.7.0 // indirect
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/go-logr/zapr v1.2.4 // indirect
github.com/go-openapi/jsonpointer v0.21.0 // indirect
github.com/go-openapi/jsonreference v0.20.2 // indirect
github.com/go-openapi/swag v0.23.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/glog v1.0.0 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/imdario/mergo v0.3.16 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/openshift/api v0.0.0-20201019163320-c6a5ec25f267 // indirect
github.com/openshift/client-go v0.0.0-20201020082437-7737f16e53fc // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/prometheus/client_golang v1.17.0 // indirect
github.com/prometheus/client_model v0.5.0 // indirect
github.com/prometheus/common v0.45.0 // indirect
github.com/prometheus/procfs v0.12.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/vmware-tanzu/service-apis v0.0.0-20200901171416-461d35e58618 // indirect
github.com/vmware/alb-sdk v0.0.0-20250407104238-8f88209a8f1a // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.26.0 // indirect
golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
golang.org/x/net v0.38.0 // indirect
golang.org/x/oauth2 v0.23.0 // indirect
golang.org/x/sys v0.31.0 // indirect
golang.org/x/term v0.30.0 // indirect
golang.org/x/text v0.23.0 // indirect
golang.org/x/time v0.7.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
google.golang.org/protobuf v1.36.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/component-base v0.28.3 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e // indirect
sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
sigs.k8s.io/service-apis v0.1.0 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.5.0 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)

replace (
github.com/vmware/load-balancer-and-ingress-services-for-kubernetes => ../
k8s.io/api => k8s.io/api v0.28.3
k8s.io/apimachinery => k8s.io/apimachinery v0.28.3
k8s.io/client-go => k8s.io/client-go v0.28.3
)
Loading
Loading