rebase: update kubernetes to 1.28.3

update kubernetes dependency to 1.28.3
release.

Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
This commit is contained in:
Madhu Rajanna 2023-10-19 10:42:48 +02:00 committed by mergify[bot]
parent 1fc9678342
commit 852b829fa9
13 changed files with 207 additions and 138 deletions

View File

@ -6,7 +6,7 @@ require (
github.com/ghodss/yaml v1.0.0 github.com/ghodss/yaml v1.0.0
github.com/openshift/api v0.0.0-20230320192226-1fc631efd341 github.com/openshift/api v0.0.0-20230320192226-1fc631efd341
github.com/stretchr/testify v1.8.4 github.com/stretchr/testify v1.8.4
k8s.io/api v0.28.2 k8s.io/api v0.28.3
) )
require ( require (
@ -23,7 +23,7 @@ require (
gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/apimachinery v0.28.2 // indirect k8s.io/apimachinery v0.28.3 // indirect
k8s.io/klog/v2 v2.100.1 // indirect k8s.io/klog/v2 v2.100.1 // indirect
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect

View File

@ -73,10 +73,10 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
k8s.io/api v0.28.2 h1:9mpl5mOb6vXZvqbQmankOfPIGiudghwCoLl1EYfUZbw= k8s.io/api v0.28.3 h1:Gj1HtbSdB4P08C8rs9AR94MfSGpRhJgsS+GF9V26xMM=
k8s.io/api v0.28.2/go.mod h1:RVnJBsjU8tcMq7C3iaRSGMeaKt2TWEUXcpIt/90fjEg= k8s.io/api v0.28.3/go.mod h1:MRCV/jr1dW87/qJnZ57U5Pak65LGmQVkKTzf3AtKFHc=
k8s.io/apimachinery v0.28.2 h1:KCOJLrc6gu+wV1BYgwik4AF4vXOlVJPdiqn0yAWWwXQ= k8s.io/apimachinery v0.28.3 h1:B1wYx8txOaCQG0HmYF6nbpU8dg6HvA06x5tEffvOe7A=
k8s.io/apimachinery v0.28.2/go.mod h1:RdzF87y/ngqk9H4z3EL2Rppv5jj95vGS/HaFXrLDApU= k8s.io/apimachinery v0.28.3/go.mod h1:uQTKmIqs+rAYaq+DFaoD2X7pcjLOqbQX2AOiO0nIpb8=
k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk=

76
go.mod
View File

@ -35,13 +35,13 @@ require (
// //
// when updating k8s.io/kubernetes, make sure to update the replace section too // when updating k8s.io/kubernetes, make sure to update the replace section too
// //
k8s.io/api v0.28.2 k8s.io/api v0.28.3
k8s.io/apimachinery v0.28.2 k8s.io/apimachinery v0.28.3
k8s.io/client-go v12.0.0+incompatible k8s.io/client-go v12.0.0+incompatible
k8s.io/cloud-provider v0.28.2 k8s.io/cloud-provider v0.28.3
k8s.io/klog/v2 v2.100.1 k8s.io/klog/v2 v2.100.1
k8s.io/kubernetes v1.28.2 k8s.io/kubernetes v1.28.3
k8s.io/mount-utils v0.28.2 k8s.io/mount-utils v0.28.3
k8s.io/pod-security-admission v0.0.0 k8s.io/pod-security-admission v0.0.0
k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 k8s.io/utils v0.0.0-20230406110748-d93618cff8a2
sigs.k8s.io/controller-runtime v0.16.2 sigs.k8s.io/controller-runtime v0.16.2
@ -163,12 +163,12 @@ require (
gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/apiextensions-apiserver v0.28.0 // indirect k8s.io/apiextensions-apiserver v0.28.3 // indirect
k8s.io/apiserver v0.28.2 // indirect k8s.io/apiserver v0.28.3 // indirect
k8s.io/component-base v0.28.2 // indirect k8s.io/component-base v0.28.3 // indirect
k8s.io/component-helpers v0.28.2 // indirect k8s.io/component-helpers v0.28.3 // indirect
k8s.io/controller-manager v0.28.2 // indirect k8s.io/controller-manager v0.28.3 // indirect
k8s.io/kms v0.28.2 // indirect k8s.io/kms v0.28.3 // indirect
k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
k8s.io/kubectl v0.0.0 // indirect k8s.io/kubectl v0.0.0 // indirect
k8s.io/kubelet v0.0.0 // indirect k8s.io/kubelet v0.0.0 // indirect
@ -188,33 +188,33 @@ replace (
// //
// k8s.io/kubernetes depends on these k8s.io packages, but unversioned // k8s.io/kubernetes depends on these k8s.io packages, but unversioned
// //
k8s.io/api => k8s.io/api v0.28.2 k8s.io/api => k8s.io/api v0.28.3
k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.28.2 k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.28.3
k8s.io/apimachinery => k8s.io/apimachinery v0.28.2 k8s.io/apimachinery => k8s.io/apimachinery v0.28.3
k8s.io/apiserver => k8s.io/apiserver v0.28.2 k8s.io/apiserver => k8s.io/apiserver v0.28.3
k8s.io/cli-runtime => k8s.io/cli-runtime v0.28.2 k8s.io/cli-runtime => k8s.io/cli-runtime v0.28.3
k8s.io/client-go => k8s.io/client-go v0.28.2 k8s.io/client-go => k8s.io/client-go v0.28.3
k8s.io/cloud-provider => k8s.io/cloud-provider v0.28.2 k8s.io/cloud-provider => k8s.io/cloud-provider v0.28.3
k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.28.2 k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.28.3
k8s.io/code-generator => k8s.io/code-generator v0.28.2 k8s.io/code-generator => k8s.io/code-generator v0.28.3
k8s.io/component-base => k8s.io/component-base v0.28.2 k8s.io/component-base => k8s.io/component-base v0.28.3
k8s.io/component-helpers => k8s.io/component-helpers v0.28.2 k8s.io/component-helpers => k8s.io/component-helpers v0.28.3
k8s.io/controller-manager => k8s.io/controller-manager v0.28.2 k8s.io/controller-manager => k8s.io/controller-manager v0.28.3
k8s.io/cri-api => k8s.io/cri-api v0.28.2 k8s.io/cri-api => k8s.io/cri-api v0.28.3
k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.28.2 k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.28.3
k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.28.2 k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.28.3
k8s.io/endpointslice => k8s.io/endpointslice v0.28.2 k8s.io/endpointslice => k8s.io/endpointslice v0.28.3
k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.28.2 k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.28.3
k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.28.2 k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.28.3
k8s.io/kube-proxy => k8s.io/kube-proxy v0.28.2 k8s.io/kube-proxy => k8s.io/kube-proxy v0.28.3
k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.28.2 k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.28.3
k8s.io/kubectl => k8s.io/kubectl v0.28.2 k8s.io/kubectl => k8s.io/kubectl v0.28.3
k8s.io/kubelet => k8s.io/kubelet v0.28.2 k8s.io/kubelet => k8s.io/kubelet v0.28.3
k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.28.2 k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.28.3
k8s.io/metrics => k8s.io/metrics v0.28.2 k8s.io/metrics => k8s.io/metrics v0.28.3
k8s.io/mount-utils => k8s.io/mount-utils v0.28.2 k8s.io/mount-utils => k8s.io/mount-utils v0.28.3
k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.28.2 k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.28.3
k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.28.2 k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.28.3
// layeh.com seems to be misbehaving // layeh.com seems to be misbehaving
layeh.com/radius => github.com/layeh/radius v0.0.0-20190322222518-890bc1058917 layeh.com/radius => github.com/layeh/radius v0.0.0-20190322222518-890bc1058917
) )

69
go.sum
View File

@ -1519,7 +1519,6 @@ golang.org/x/crypto v0.0.0-20220408190544-5352b0902921/go.mod h1:IxCIyHEi3zRg3s0
golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw= golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@ -1658,7 +1657,6 @@ golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
golang.org/x/net v0.13.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
@ -1820,7 +1818,6 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
@ -1834,7 +1831,6 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@ -1853,7 +1849,6 @@ golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@ -2285,26 +2280,26 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las= honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
honnef.co/go/tools v0.3.0/go.mod h1:vlRD9XErLMGT+mDuofSr0mMMquscM/1nQqtRSsh6m70= honnef.co/go/tools v0.3.0/go.mod h1:vlRD9XErLMGT+mDuofSr0mMMquscM/1nQqtRSsh6m70=
k8s.io/api v0.28.2 h1:9mpl5mOb6vXZvqbQmankOfPIGiudghwCoLl1EYfUZbw= k8s.io/api v0.28.3 h1:Gj1HtbSdB4P08C8rs9AR94MfSGpRhJgsS+GF9V26xMM=
k8s.io/api v0.28.2/go.mod h1:RVnJBsjU8tcMq7C3iaRSGMeaKt2TWEUXcpIt/90fjEg= k8s.io/api v0.28.3/go.mod h1:MRCV/jr1dW87/qJnZ57U5Pak65LGmQVkKTzf3AtKFHc=
k8s.io/apiextensions-apiserver v0.28.2 h1:J6/QRWIKV2/HwBhHRVITMLYoypCoPY1ftigDM0Kn+QU= k8s.io/apiextensions-apiserver v0.28.3 h1:Od7DEnhXHnHPZG+W9I97/fSQkVpVPQx2diy+2EtmY08=
k8s.io/apiextensions-apiserver v0.28.2/go.mod h1:5tnkxLGa9nefefYzWuAlWZ7RZYuN/765Au8cWLA6SRg= k8s.io/apiextensions-apiserver v0.28.3/go.mod h1:NE1XJZ4On0hS11aWWJUTNkmVB03j9LM7gJSisbRt8Lc=
k8s.io/apimachinery v0.28.2 h1:KCOJLrc6gu+wV1BYgwik4AF4vXOlVJPdiqn0yAWWwXQ= k8s.io/apimachinery v0.28.3 h1:B1wYx8txOaCQG0HmYF6nbpU8dg6HvA06x5tEffvOe7A=
k8s.io/apimachinery v0.28.2/go.mod h1:RdzF87y/ngqk9H4z3EL2Rppv5jj95vGS/HaFXrLDApU= k8s.io/apimachinery v0.28.3/go.mod h1:uQTKmIqs+rAYaq+DFaoD2X7pcjLOqbQX2AOiO0nIpb8=
k8s.io/apiserver v0.28.2 h1:rBeYkLvF94Nku9XfXyUIirsVzCzJBs6jMn3NWeHieyI= k8s.io/apiserver v0.28.3 h1:8Ov47O1cMyeDzTXz0rwcfIIGAP/dP7L8rWbEljRcg5w=
k8s.io/apiserver v0.28.2/go.mod h1:f7D5e8wH8MWcKD7azq6Csw9UN+CjdtXIVQUyUhrtb+E= k8s.io/apiserver v0.28.3/go.mod h1:YIpM+9wngNAv8Ctt0rHG4vQuX/I5rvkEMtZtsxW2rNM=
k8s.io/client-go v0.28.2 h1:DNoYI1vGq0slMBN/SWKMZMw0Rq+0EQW6/AK4v9+3VeY= k8s.io/client-go v0.28.3 h1:2OqNb72ZuTZPKCl+4gTKvqao0AMOl9f3o2ijbAj3LI4=
k8s.io/client-go v0.28.2/go.mod h1:sMkApowspLuc7omj1FOSUxSoqjr+d5Q0Yc0LOFnYFJY= k8s.io/client-go v0.28.3/go.mod h1:LTykbBp9gsA7SwqirlCXBWtK0guzfhpoW4qSm7i9dxo=
k8s.io/cloud-provider v0.28.2 h1:9qsYm86hm4bnPgZbl9LE29Zfgjuq3NZR2dgtPioJ40s= k8s.io/cloud-provider v0.28.3 h1:9u+JjA3zIn0nqLOOa8tWnprFkffguSAhfBvo8p7LhBQ=
k8s.io/cloud-provider v0.28.2/go.mod h1:40fqf6MtgYho5Eu4gkyLgh5abxU/QKTMTIwBxt4ILyU= k8s.io/cloud-provider v0.28.3/go.mod h1:shAJxdrKu+SwwGUhkodxByPjaH8KBFZqXo6jU1F0ehI=
k8s.io/code-generator v0.28.2/go.mod h1:ueeSJZJ61NHBa0ccWLey6mwawum25vX61nRZ6WOzN9A= k8s.io/code-generator v0.28.3/go.mod h1:A2EAHTRYvCvBrb/MM2zZBNipeCk3f8NtpdNIKawC43M=
k8s.io/component-base v0.28.2 h1:Yc1yU+6AQSlpJZyvehm/NkJBII72rzlEsd6MkBQ+G0E= k8s.io/component-base v0.28.3 h1:rDy68eHKxq/80RiMb2Ld/tbH8uAE75JdCqJyi6lXMzI=
k8s.io/component-base v0.28.2/go.mod h1:4IuQPQviQCg3du4si8GpMrhAIegxpsgPngPRR/zWpzc= k8s.io/component-base v0.28.3/go.mod h1:fDJ6vpVNSk6cRo5wmDa6eKIG7UlIQkaFmZN2fYgIUD8=
k8s.io/component-helpers v0.28.2 h1:r/XJ265PMirW9EcGXr/F+2yWrLPo2I69KdvcY/h9HAo= k8s.io/component-helpers v0.28.3 h1:te9ieTGzcztVktUs92X53P6BamAoP73MK0qQP0WmDqc=
k8s.io/component-helpers v0.28.2/go.mod h1:pF1R5YWQ+sgf0i6EbVm+MQCzkYuqutDUibdrkvAa6aI= k8s.io/component-helpers v0.28.3/go.mod h1:oJR7I9ist5UAQ3y/CTdbw6CXxdMZ1Lw2Ua/EZEwnVLs=
k8s.io/controller-manager v0.28.2 h1:C2RKx+NH3Iw+4yLdTGNJlYUd4cRV1N8tKl4XfqMwuTk= k8s.io/controller-manager v0.28.3 h1:2s0wBvrGuRwMYEnl5Ed+qkK1kAfZR6H+0Ut1R2tHLRg=
k8s.io/controller-manager v0.28.2/go.mod h1:7bT6FlTE96Co7QevCtvcVnZZIJSaGj6F7EmyT2Rf3GY= k8s.io/controller-manager v0.28.3/go.mod h1:lYu5hxBVmfK5NrpmeVrioPH4ROnE4OxmUM3xx6JWlLs=
k8s.io/csi-translation-lib v0.28.2 h1:63MIOXUn5bet2Mw7G+A7zFmLzQ/vzBrjvNYIlXYh/n0= k8s.io/csi-translation-lib v0.28.3 h1:7deV+HZjV418AGikSDPW8dyzTpm4K3tNbQUp3KmR7cs=
k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
@ -2314,22 +2309,22 @@ k8s.io/klog/v2 v2.4.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y=
k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
k8s.io/kms v0.28.2 h1:KhG63LHopCdzs1oKA1j+NWleuIXudgOyCqJo4yi3GaM= k8s.io/kms v0.28.3 h1:jYwwAe96XELNjYWv1G4kNzizcFoZ50OOElvPansbw70=
k8s.io/kms v0.28.2/go.mod h1:iAjgIqBrV2+8kmsjbbgUkAyKSuYq5g1dW9knpt6OhaE= k8s.io/kms v0.28.3/go.mod h1:kSMjU2tg7vjqqoWVVCcmPmNZ/CofPsoTbSxAipCvZuE=
k8s.io/kube-openapi v0.0.0-20180731170545-e3762e86a74c/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc= k8s.io/kube-openapi v0.0.0-20180731170545-e3762e86a74c/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4= k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4=
k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ=
k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
k8s.io/kubectl v0.28.2 h1:fOWOtU6S0smdNjG1PB9WFbqEIMlkzU5ahyHkc7ESHgM= k8s.io/kubectl v0.28.3 h1:H1Peu1O3EbN9zHkJCcvhiJ4NUj6lb88sGPO5wrWIM6k=
k8s.io/kubectl v0.28.2/go.mod h1:6EQWTPySF1fn7yKoQZHYf9TPwIl2AygHEcJoxFekr64= k8s.io/kubectl v0.28.3/go.mod h1:RDAudrth/2wQ3Sg46fbKKl4/g+XImzvbsSRZdP2RiyE=
k8s.io/kubelet v0.28.2 h1:wqe5zKtVhNWwtdABU0mpcWVe8hc6VdVvs2kqQridZRw= k8s.io/kubelet v0.28.3 h1:bp/uIf1R5F61BlFvFtzc4PDEiK7TtFcw3wFJlc0V0LM=
k8s.io/kubelet v0.28.2/go.mod h1:rvd0e7T5TjPcfZvy62P90XhFzp0IhPIOy+Pqy3Rtipo= k8s.io/kubelet v0.28.3/go.mod h1:E3NHYbp/v45Ao6AD0EOZnqO3L0R6Haks6Nm0+bnFwtU=
k8s.io/kubernetes v1.28.2 h1:GhcnYeNTukeaC0dD5BC+UWBvzQsFEpWj7XBVMQptfYc= k8s.io/kubernetes v1.28.3 h1:XTci6gzk+JR51UZuZQCFJ4CsyUkfivSjLI4O1P9z6LY=
k8s.io/kubernetes v1.28.2/go.mod h1:FmB1Mlp9ua0ezuwQCTGs/y6wj/fVisN2sVxhzjj0WDk= k8s.io/kubernetes v1.28.3/go.mod h1:NhAysZWvHtNcJFFHic87ofxQN7loylCQwg3ZvXVDbag=
k8s.io/mount-utils v0.28.2 h1:sIdMH7fRhcU48V1oYJ9cLmLm/TG+2jLhhe8eS3I+FWg= k8s.io/mount-utils v0.28.3 h1:1p6Dk2QhoK0IYOee2MOec/90a7fC0yUqlWPfQy/4JFE=
k8s.io/mount-utils v0.28.2/go.mod h1:AyP8LmZSLgpGdFQr+vzHTerlPiGvXUdP99n98Er47jw= k8s.io/mount-utils v0.28.3/go.mod h1:ceMAZ+Nzlk8zOwN205YXXGJRGmf1o0/XIwsKnG44p0I=
k8s.io/pod-security-admission v0.28.2 h1:3kiOL+gc6auNTGHuQ0hVsGxYu2YO/7DZb0xYR84GxiQ= k8s.io/pod-security-admission v0.28.3 h1:CtVVG36YwniCH4d18wAoFW6n0Qm5Z1uUVfDIiO4kY0I=
k8s.io/pod-security-admission v0.28.2/go.mod h1:gReea39xbhIzf4Ry0FDuiTi8uj1N5R9YXOh8zQSuTxs= k8s.io/pod-security-admission v0.28.3/go.mod h1:qm+gZ8FdnxBgVVTZfSjlK/oeBosmvECBdl92RWuWxhI=
k8s.io/utils v0.0.0-20190506122338-8fab8cb257d5/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew= k8s.io/utils v0.0.0-20190506122338-8fab8cb257d5/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=

View File

@ -126,14 +126,17 @@ type rudimentaryErrorBackoff struct {
// OnError will block if it is called more often than the embedded period time. // OnError will block if it is called more often than the embedded period time.
// This will prevent overly tight hot error loops. // This will prevent overly tight hot error loops.
func (r *rudimentaryErrorBackoff) OnError(error) { func (r *rudimentaryErrorBackoff) OnError(error) {
now := time.Now() // start the timer before acquiring the lock
r.lastErrorTimeLock.Lock() r.lastErrorTimeLock.Lock()
defer r.lastErrorTimeLock.Unlock() d := now.Sub(r.lastErrorTime)
d := time.Since(r.lastErrorTime)
if d < r.minPeriod {
// If the time moves backwards for any reason, do nothing
time.Sleep(r.minPeriod - d)
}
r.lastErrorTime = time.Now() r.lastErrorTime = time.Now()
r.lastErrorTimeLock.Unlock()
// Do not sleep with the lock held because that causes all callers of HandleError to block.
// We only want the current goroutine to block.
// A negative or zero duration causes time.Sleep to return immediately.
// If the time moves backwards for any reason, do nothing.
time.Sleep(r.minPeriod - d)
} }
// GetCaller returns the caller of the function that calls it. // GetCaller returns the caller of the function that calls it.

View File

@ -29,8 +29,11 @@ import (
"k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/authenticator"
"k8s.io/apiserver/pkg/authentication/authenticatorfactory" "k8s.io/apiserver/pkg/authentication/authenticatorfactory"
"k8s.io/apiserver/pkg/authentication/request/headerrequest" "k8s.io/apiserver/pkg/authentication/request/headerrequest"
"k8s.io/apiserver/pkg/authentication/user"
"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters" "k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
genericapirequest "k8s.io/apiserver/pkg/endpoints/request" genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
genericfeatures "k8s.io/apiserver/pkg/features"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/klog/v2" "k8s.io/klog/v2"
) )
@ -101,6 +104,18 @@ func withAuthentication(handler http.Handler, auth authenticator.Request, failed
) )
} }
// http2 is an expensive protocol that is prone to abuse,
// see CVE-2023-44487 and CVE-2023-39325 for an example.
// Do not allow unauthenticated clients to keep these
// connections open (i.e. basically degrade them to the
// performance of http1 with keep-alive disabled).
if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.UnauthenticatedHTTP2DOSMitigation) && req.ProtoMajor == 2 && isAnonymousUser(resp.User) {
// limit this connection to just this request,
// and then send a GOAWAY and tear down the TCP connection
// https://github.com/golang/net/commit/97aa3a539ec716117a9d15a4659a911f50d13c3c
w.Header().Set("Connection", "close")
}
req = req.WithContext(genericapirequest.WithUser(req.Context(), resp.User)) req = req.WithContext(genericapirequest.WithUser(req.Context(), resp.User))
handler.ServeHTTP(w, req) handler.ServeHTTP(w, req)
}) })
@ -108,6 +123,17 @@ func withAuthentication(handler http.Handler, auth authenticator.Request, failed
func Unauthorized(s runtime.NegotiatedSerializer) http.Handler { func Unauthorized(s runtime.NegotiatedSerializer) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
// http2 is an expensive protocol that is prone to abuse,
// see CVE-2023-44487 and CVE-2023-39325 for an example.
// Do not allow unauthenticated clients to keep these
// connections open (i.e. basically degrade them to the
// performance of http1 with keep-alive disabled).
if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.UnauthenticatedHTTP2DOSMitigation) && req.ProtoMajor == 2 {
// limit this connection to just this request,
// and then send a GOAWAY and tear down the TCP connection
// https://github.com/golang/net/commit/97aa3a539ec716117a9d15a4659a911f50d13c3c
w.Header().Set("Connection", "close")
}
ctx := req.Context() ctx := req.Context()
requestInfo, found := genericapirequest.RequestInfoFrom(ctx) requestInfo, found := genericapirequest.RequestInfoFrom(ctx)
if !found { if !found {
@ -127,3 +153,15 @@ func audiencesAreAcceptable(apiAuds, responseAudiences authenticator.Audiences)
return len(apiAuds.Intersect(responseAudiences)) > 0 return len(apiAuds.Intersect(responseAudiences)) > 0
} }
func isAnonymousUser(u user.Info) bool {
if u.GetName() == user.Anonymous {
return true
}
for _, group := range u.GetGroups() {
if group == user.AllUnauthenticated {
return true
}
}
return false
}

View File

@ -182,6 +182,24 @@ const (
// Enables server-side field validation. // Enables server-side field validation.
ServerSideFieldValidation featuregate.Feature = "ServerSideFieldValidation" ServerSideFieldValidation featuregate.Feature = "ServerSideFieldValidation"
// owner: @enj
// beta: v1.29
//
// Enables http2 DOS mitigations for unauthenticated clients.
//
// Some known reasons to disable these mitigations:
//
// An API server that is fronted by an L7 load balancer that is set up
// to mitigate http2 attacks may opt to disable this protection to prevent
// unauthenticated clients from disabling connection reuse between the load
// balancer and the API server (many incoming connections could share the
// same backend connection).
//
// An API server that is on a private network may opt to disable this
// protection to prevent performance regressions for unauthenticated
// clients.
UnauthenticatedHTTP2DOSMitigation featuregate.Feature = "UnauthenticatedHTTP2DOSMitigation"
// owner: @caesarxuchao @roycaihw // owner: @caesarxuchao @roycaihw
// alpha: v1.20 // alpha: v1.20
// //
@ -276,6 +294,8 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
StorageVersionHash: {Default: true, PreRelease: featuregate.Beta}, StorageVersionHash: {Default: true, PreRelease: featuregate.Beta},
UnauthenticatedHTTP2DOSMitigation: {Default: false, PreRelease: featuregate.Beta},
WatchBookmark: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, WatchBookmark: {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
InPlacePodVerticalScaling: {Default: false, PreRelease: featuregate.Alpha}, InPlacePodVerticalScaling: {Default: false, PreRelease: featuregate.Alpha},

View File

@ -43,12 +43,13 @@ import (
"k8s.io/apiserver/pkg/apis/config/validation" "k8s.io/apiserver/pkg/apis/config/validation"
"k8s.io/apiserver/pkg/features" "k8s.io/apiserver/pkg/features"
"k8s.io/apiserver/pkg/server/healthz" "k8s.io/apiserver/pkg/server/healthz"
"k8s.io/apiserver/pkg/server/options/encryptionconfig/metrics"
storagevalue "k8s.io/apiserver/pkg/storage/value" storagevalue "k8s.io/apiserver/pkg/storage/value"
aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes" aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes"
"k8s.io/apiserver/pkg/storage/value/encrypt/envelope" "k8s.io/apiserver/pkg/storage/value/encrypt/envelope"
envelopekmsv2 "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2" envelopekmsv2 "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2"
kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2" kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2"
"k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics" envelopemetrics "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics"
"k8s.io/apiserver/pkg/storage/value/encrypt/identity" "k8s.io/apiserver/pkg/storage/value/encrypt/identity"
"k8s.io/apiserver/pkg/storage/value/encrypt/secretbox" "k8s.io/apiserver/pkg/storage/value/encrypt/secretbox"
utilfeature "k8s.io/apiserver/pkg/util/feature" utilfeature "k8s.io/apiserver/pkg/util/feature"
@ -104,6 +105,12 @@ const (
kmsReloadHealthCheckName = "kms-providers" kmsReloadHealthCheckName = "kms-providers"
) )
func init() {
metrics.RegisterMetrics()
storagevalue.RegisterMetrics()
envelopemetrics.RegisterMetrics()
}
type kmsPluginHealthzResponse struct { type kmsPluginHealthzResponse struct {
err error err error
received time.Time received time.Time
@ -445,10 +452,10 @@ func (h *kmsv2PluginProbe) isKMSv2ProviderHealthyAndMaybeRotateDEK(ctx context.C
} }
if errCode, err := envelopekmsv2.ValidateKeyID(response.KeyID); err != nil { if errCode, err := envelopekmsv2.ValidateKeyID(response.KeyID); err != nil {
metrics.RecordInvalidKeyIDFromStatus(h.name, string(errCode)) envelopemetrics.RecordInvalidKeyIDFromStatus(h.name, string(errCode))
errs = append(errs, fmt.Errorf("got invalid KMSv2 KeyID hash %q: %w", envelopekmsv2.GetHashIfNotEmpty(response.KeyID), err)) errs = append(errs, fmt.Errorf("got invalid KMSv2 KeyID hash %q: %w", envelopekmsv2.GetHashIfNotEmpty(response.KeyID), err))
} else { } else {
metrics.RecordKeyIDFromStatus(h.name, response.KeyID) envelopemetrics.RecordKeyIDFromStatus(h.name, response.KeyID)
// unconditionally append as we filter out nil errors below // unconditionally append as we filter out nil errors below
errs = append(errs, h.rotateDEKOnKeyIDChange(ctx, response.KeyID, string(uuid.NewUUID()))) errs = append(errs, h.rotateDEKOnKeyIDChange(ctx, response.KeyID, string(uuid.NewUUID())))
} }

View File

@ -189,7 +189,10 @@ func (s *SecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Dur
if s.HTTP2MaxStreamsPerConnection > 0 { if s.HTTP2MaxStreamsPerConnection > 0 {
http2Options.MaxConcurrentStreams = uint32(s.HTTP2MaxStreamsPerConnection) http2Options.MaxConcurrentStreams = uint32(s.HTTP2MaxStreamsPerConnection)
} else { } else {
http2Options.MaxConcurrentStreams = 250 // match http2.initialMaxConcurrentStreams used by clients
// this makes it so that a malicious client can only open 400 streams before we forcibly close the connection
// https://github.com/golang/net/commit/b225e7ca6dde1ef5a5ae5ce922861bda011cfabd
http2Options.MaxConcurrentStreams = 100
} }
// increase the connection buffer size from the 1MB default to handle the specified number of concurrent streams // increase the connection buffer size from the 1MB default to handle the specified number of concurrent streams

View File

@ -157,10 +157,10 @@ func newETCD3Check(c storagebackend.Config, timeout time.Duration, stopCh <-chan
var prober *etcd3ProberMonitor var prober *etcd3ProberMonitor
clientErr := fmt.Errorf("etcd client connection not yet established") clientErr := fmt.Errorf("etcd client connection not yet established")
go wait.PollUntil(time.Second, func() (bool, error) { go wait.PollImmediateUntil(time.Second, func() (bool, error) {
newProber, err := newETCD3ProberMonitor(c)
lock.Lock() lock.Lock()
defer lock.Unlock() defer lock.Unlock()
newProber, err := newETCD3ProberMonitor(c)
// Ensure that server is already not shutting down. // Ensure that server is already not shutting down.
select { select {
case <-stopCh: case <-stopCh:

View File

@ -1210,6 +1210,8 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
genericfeatures.ServerSideFieldValidation: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.29 genericfeatures.ServerSideFieldValidation: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.29
genericfeatures.UnauthenticatedHTTP2DOSMitigation: {Default: false, PreRelease: featuregate.Beta},
// inherited features from apiextensions-apiserver, relisted here to get a conflict if it is changed // inherited features from apiextensions-apiserver, relisted here to get a conflict if it is changed
// unintentionally on either side: // unintentionally on either side:

View File

@ -581,10 +581,11 @@ func WaitForPodsResponding(ctx context.Context, c clientset.Interface, ns string
if err != nil { if err != nil {
// We may encounter errors here because of a race between the pod readiness and apiserver // We may encounter errors here because of a race between the pod readiness and apiserver
// proxy. So, we log the error and retry if this occurs. // proxy or because of temporary failures. The error gets wrapped for framework.HandleRetry.
return nil, fmt.Errorf("Controller %s: failed to Get from replica pod %s:\n%s\nPod status:\n%s", // Gomega+Ginkgo will handle logging.
return nil, fmt.Errorf("controller %s: failed to Get from replica pod %s:\n%w\nPod status:\n%s",
controllerName, pod.Name, controllerName, pod.Name,
format.Object(err, 1), format.Object(pod.Status, 1)) err, format.Object(pod.Status, 1))
} }
responses = append(responses, response{podName: pod.Name, response: string(body)}) responses = append(responses, response{podName: pod.Name, response: string(body)})
} }

84
vendor/modules.txt vendored
View File

@ -851,7 +851,7 @@ gopkg.in/yaml.v2
# gopkg.in/yaml.v3 v3.0.1 # gopkg.in/yaml.v3 v3.0.1
## explicit ## explicit
gopkg.in/yaml.v3 gopkg.in/yaml.v3
# k8s.io/api v0.28.2 => k8s.io/api v0.28.2 # k8s.io/api v0.28.3 => k8s.io/api v0.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/api/admission/v1 k8s.io/api/admission/v1
k8s.io/api/admission/v1beta1 k8s.io/api/admission/v1beta1
@ -907,12 +907,12 @@ k8s.io/api/scheduling/v1beta1
k8s.io/api/storage/v1 k8s.io/api/storage/v1
k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1alpha1
k8s.io/api/storage/v1beta1 k8s.io/api/storage/v1beta1
# k8s.io/apiextensions-apiserver v0.28.0 => k8s.io/apiextensions-apiserver v0.28.2 # k8s.io/apiextensions-apiserver v0.28.3 => k8s.io/apiextensions-apiserver v0.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions k8s.io/apiextensions-apiserver/pkg/apis/apiextensions
k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
k8s.io/apiextensions-apiserver/pkg/features k8s.io/apiextensions-apiserver/pkg/features
# k8s.io/apimachinery v0.28.2 => k8s.io/apimachinery v0.28.2 # k8s.io/apimachinery v0.28.3 => k8s.io/apimachinery v0.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/apimachinery/pkg/api/equality k8s.io/apimachinery/pkg/api/equality
k8s.io/apimachinery/pkg/api/errors k8s.io/apimachinery/pkg/api/errors
@ -974,7 +974,7 @@ k8s.io/apimachinery/pkg/watch
k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/json
k8s.io/apimachinery/third_party/forked/golang/netutil k8s.io/apimachinery/third_party/forked/golang/netutil
k8s.io/apimachinery/third_party/forked/golang/reflect k8s.io/apimachinery/third_party/forked/golang/reflect
# k8s.io/apiserver v0.28.2 => k8s.io/apiserver v0.28.2 # k8s.io/apiserver v0.28.3 => k8s.io/apiserver v0.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/apiserver/pkg/admission k8s.io/apiserver/pkg/admission
k8s.io/apiserver/pkg/admission/cel k8s.io/apiserver/pkg/admission/cel
@ -1119,7 +1119,7 @@ k8s.io/apiserver/plugin/pkg/audit/truncate
k8s.io/apiserver/plugin/pkg/audit/webhook k8s.io/apiserver/plugin/pkg/audit/webhook
k8s.io/apiserver/plugin/pkg/authenticator/token/webhook k8s.io/apiserver/plugin/pkg/authenticator/token/webhook
k8s.io/apiserver/plugin/pkg/authorizer/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook
# k8s.io/client-go v12.0.0+incompatible => k8s.io/client-go v0.28.2 # k8s.io/client-go v12.0.0+incompatible => k8s.io/client-go v0.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/client-go/applyconfigurations/admissionregistration/v1 k8s.io/client-go/applyconfigurations/admissionregistration/v1
k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1 k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1
@ -1388,7 +1388,7 @@ k8s.io/client-go/util/homedir
k8s.io/client-go/util/keyutil k8s.io/client-go/util/keyutil
k8s.io/client-go/util/retry k8s.io/client-go/util/retry
k8s.io/client-go/util/workqueue k8s.io/client-go/util/workqueue
# k8s.io/cloud-provider v0.28.2 => k8s.io/cloud-provider v0.28.2 # k8s.io/cloud-provider v0.28.3 => k8s.io/cloud-provider v0.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/cloud-provider k8s.io/cloud-provider
k8s.io/cloud-provider/app/config k8s.io/cloud-provider/app/config
@ -1403,7 +1403,7 @@ k8s.io/cloud-provider/names
k8s.io/cloud-provider/options k8s.io/cloud-provider/options
k8s.io/cloud-provider/volume k8s.io/cloud-provider/volume
k8s.io/cloud-provider/volume/helpers k8s.io/cloud-provider/volume/helpers
# k8s.io/component-base v0.28.2 => k8s.io/component-base v0.28.2 # k8s.io/component-base v0.28.3 => k8s.io/component-base v0.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/component-base/cli/flag k8s.io/component-base/cli/flag
k8s.io/component-base/config k8s.io/component-base/config
@ -1425,12 +1425,12 @@ k8s.io/component-base/metrics/testutil
k8s.io/component-base/tracing k8s.io/component-base/tracing
k8s.io/component-base/tracing/api/v1 k8s.io/component-base/tracing/api/v1
k8s.io/component-base/version k8s.io/component-base/version
# k8s.io/component-helpers v0.28.2 => k8s.io/component-helpers v0.28.2 # k8s.io/component-helpers v0.28.3 => k8s.io/component-helpers v0.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/component-helpers/scheduling/corev1 k8s.io/component-helpers/scheduling/corev1
k8s.io/component-helpers/scheduling/corev1/nodeaffinity k8s.io/component-helpers/scheduling/corev1/nodeaffinity
k8s.io/component-helpers/storage/volume k8s.io/component-helpers/storage/volume
# k8s.io/controller-manager v0.28.2 => k8s.io/controller-manager v0.28.2 # k8s.io/controller-manager v0.28.3 => k8s.io/controller-manager v0.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/controller-manager/config k8s.io/controller-manager/config
k8s.io/controller-manager/config/v1 k8s.io/controller-manager/config/v1
@ -1450,7 +1450,7 @@ k8s.io/klog/v2/internal/clock
k8s.io/klog/v2/internal/dbg k8s.io/klog/v2/internal/dbg
k8s.io/klog/v2/internal/serialize k8s.io/klog/v2/internal/serialize
k8s.io/klog/v2/internal/severity k8s.io/klog/v2/internal/severity
# k8s.io/kms v0.28.2 # k8s.io/kms v0.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/kms/apis/v1beta1 k8s.io/kms/apis/v1beta1
k8s.io/kms/apis/v2 k8s.io/kms/apis/v2
@ -1478,15 +1478,15 @@ k8s.io/kube-openapi/pkg/validation/errors
k8s.io/kube-openapi/pkg/validation/spec k8s.io/kube-openapi/pkg/validation/spec
k8s.io/kube-openapi/pkg/validation/strfmt k8s.io/kube-openapi/pkg/validation/strfmt
k8s.io/kube-openapi/pkg/validation/strfmt/bson k8s.io/kube-openapi/pkg/validation/strfmt/bson
# k8s.io/kubectl v0.0.0 => k8s.io/kubectl v0.28.2 # k8s.io/kubectl v0.0.0 => k8s.io/kubectl v0.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/kubectl/pkg/scale k8s.io/kubectl/pkg/scale
k8s.io/kubectl/pkg/util/podutils k8s.io/kubectl/pkg/util/podutils
# k8s.io/kubelet v0.0.0 => k8s.io/kubelet v0.28.2 # k8s.io/kubelet v0.0.0 => k8s.io/kubelet v0.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/kubelet/pkg/apis k8s.io/kubelet/pkg/apis
k8s.io/kubelet/pkg/apis/stats/v1alpha1 k8s.io/kubelet/pkg/apis/stats/v1alpha1
# k8s.io/kubernetes v1.28.2 # k8s.io/kubernetes v1.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/kubernetes/pkg/api/legacyscheme k8s.io/kubernetes/pkg/api/legacyscheme
k8s.io/kubernetes/pkg/api/service k8s.io/kubernetes/pkg/api/service
@ -1549,10 +1549,10 @@ k8s.io/kubernetes/test/utils
k8s.io/kubernetes/test/utils/format k8s.io/kubernetes/test/utils/format
k8s.io/kubernetes/test/utils/image k8s.io/kubernetes/test/utils/image
k8s.io/kubernetes/test/utils/kubeconfig k8s.io/kubernetes/test/utils/kubeconfig
# k8s.io/mount-utils v0.28.2 => k8s.io/mount-utils v0.28.2 # k8s.io/mount-utils v0.28.3 => k8s.io/mount-utils v0.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/mount-utils k8s.io/mount-utils
# k8s.io/pod-security-admission v0.0.0 => k8s.io/pod-security-admission v0.28.2 # k8s.io/pod-security-admission v0.0.0 => k8s.io/pod-security-admission v0.28.3
## explicit; go 1.20 ## explicit; go 1.20
k8s.io/pod-security-admission/api k8s.io/pod-security-admission/api
k8s.io/pod-security-admission/policy k8s.io/pod-security-admission/policy
@ -1637,31 +1637,31 @@ sigs.k8s.io/yaml
# github.com/ceph/ceph-csi/api => ./api # github.com/ceph/ceph-csi/api => ./api
# github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3 # github.com/portworx/sched-ops => github.com/portworx/sched-ops v0.20.4-openstorage-rc3
# gomodules.xyz/jsonpatch/v2 => github.com/gomodules/jsonpatch/v2 v2.2.0 # gomodules.xyz/jsonpatch/v2 => github.com/gomodules/jsonpatch/v2 v2.2.0
# k8s.io/api => k8s.io/api v0.28.2 # k8s.io/api => k8s.io/api v0.28.3
# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.28.2 # k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.28.3
# k8s.io/apimachinery => k8s.io/apimachinery v0.28.2 # k8s.io/apimachinery => k8s.io/apimachinery v0.28.3
# k8s.io/apiserver => k8s.io/apiserver v0.28.2 # k8s.io/apiserver => k8s.io/apiserver v0.28.3
# k8s.io/cli-runtime => k8s.io/cli-runtime v0.28.2 # k8s.io/cli-runtime => k8s.io/cli-runtime v0.28.3
# k8s.io/client-go => k8s.io/client-go v0.28.2 # k8s.io/client-go => k8s.io/client-go v0.28.3
# k8s.io/cloud-provider => k8s.io/cloud-provider v0.28.2 # k8s.io/cloud-provider => k8s.io/cloud-provider v0.28.3
# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.28.2 # k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.28.3
# k8s.io/code-generator => k8s.io/code-generator v0.28.2 # k8s.io/code-generator => k8s.io/code-generator v0.28.3
# k8s.io/component-base => k8s.io/component-base v0.28.2 # k8s.io/component-base => k8s.io/component-base v0.28.3
# k8s.io/component-helpers => k8s.io/component-helpers v0.28.2 # k8s.io/component-helpers => k8s.io/component-helpers v0.28.3
# k8s.io/controller-manager => k8s.io/controller-manager v0.28.2 # k8s.io/controller-manager => k8s.io/controller-manager v0.28.3
# k8s.io/cri-api => k8s.io/cri-api v0.28.2 # k8s.io/cri-api => k8s.io/cri-api v0.28.3
# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.28.2 # k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.28.3
# k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.28.2 # k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.28.3
# k8s.io/endpointslice => k8s.io/endpointslice v0.28.2 # k8s.io/endpointslice => k8s.io/endpointslice v0.28.3
# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.28.2 # k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.28.3
# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.28.2 # k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.28.3
# k8s.io/kube-proxy => k8s.io/kube-proxy v0.28.2 # k8s.io/kube-proxy => k8s.io/kube-proxy v0.28.3
# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.28.2 # k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.28.3
# k8s.io/kubectl => k8s.io/kubectl v0.28.2 # k8s.io/kubectl => k8s.io/kubectl v0.28.3
# k8s.io/kubelet => k8s.io/kubelet v0.28.2 # k8s.io/kubelet => k8s.io/kubelet v0.28.3
# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.28.2 # k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.28.3
# k8s.io/metrics => k8s.io/metrics v0.28.2 # k8s.io/metrics => k8s.io/metrics v0.28.3
# k8s.io/mount-utils => k8s.io/mount-utils v0.28.2 # k8s.io/mount-utils => k8s.io/mount-utils v0.28.3
# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.28.2 # k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.28.3
# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.28.2 # k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.28.3
# layeh.com/radius => github.com/layeh/radius v0.0.0-20190322222518-890bc1058917 # layeh.com/radius => github.com/layeh/radius v0.0.0-20190322222518-890bc1058917