rebase: update kubernetes dep to 1.24.0

As kubernetes 1.24.0 is released, updating kubernetes dependencies to 1.24.0 updates: #3086 Signed-off-by: Madhu Rajanna <madhupr007@gmail.com>
2025-06-13 02:33:34 +00:00 · 2022-05-05 08:17:06 +05:30
parent fc1529f268
commit c4f79d455f
959 changed files with 80055 additions and 27456 deletions
--- a/vendor/k8s.io/apiserver/pkg/util/webhook/client.go
+++ b/vendor/k8s.io/apiserver/pkg/util/webhook/client.go
@ -148,8 +148,11 @@ func (cm *ClientManager) HookClient(cc ClientConfig) (*rest.RESTClient, error) {
 		cfg.ContentConfig.ContentType = runtime.ContentTypeJSON

 		// Add a transport wrapper that allows detection of TLS connections to
-		// servers without SAN extension in their serving certificates
-		cfg.Wrap(x509metrics.NewMissingSANRoundTripperWrapperConstructor(x509MissingSANCounter))
+		// servers with serving certificates with deprecated characteristics
+		cfg.Wrap(x509metrics.NewDeprecatedCertificateRoundTripperWrapperConstructor(
+			x509MissingSANCounter,
+			x509InsecureSHA1Counter,
+		))

 		client, err := rest.UnversionedRESTClientFor(cfg)
 		if err == nil {
--- a/vendor/k8s.io/apiserver/pkg/util/webhook/gencerts.sh
+++ b/vendor/k8s.io/apiserver/pkg/util/webhook/gencerts.sh
@ -23,6 +23,14 @@ set -e

 CN_BASE="webhook_tests"

+cat > intermediate_ca.conf << EOF
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+basicConstraints = critical,CA:true
+keyUsage = cRLSign, keyCertSign
+EOF
+
 cat > server.conf << EOF
 [req]
 req_extensions = v3_req
@ -71,6 +79,15 @@ openssl req -x509 -new -nodes -key caKey.pem -days 100000 -out caCert.pem -subj
 openssl genrsa -out badCAKey.pem 2048
 openssl req -x509 -new -nodes -key badCAKey.pem -days 100000 -out badCACert.pem -subj "/CN=${CN_BASE}_ca"

+# Create an intermediate certificate authority
+openssl genrsa -out caKeyInter.pem 2048
+openssl req -new -nodes -key caKeyInter.pem -days 100000 -out caCertInter.csr -subj "/CN=${CN_BASE}_intermediate_ca"
+openssl x509 -req -in caCertInter.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out caCertInter.pem -days 100000 -extensions v3_ca -extfile intermediate_ca.conf
+
+# Create an intermediate certificate authority with sha1 signature
+openssl req -new -nodes -key caKeyInter.pem -days 100000 -out caCertInterSHA1.csr -subj "/CN=${CN_BASE}_intermediate_ca"
+openssl x509 -sha1 -req -in caCertInterSHA1.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out caCertInterSHA1.pem -days 100000 -extensions v3_ca -extfile intermediate_ca.conf
+
 # Create a server certiticate
 openssl genrsa -out serverKey.pem 2048
 openssl req -new -key serverKey.pem -out server.csr -subj "/CN=${CN_BASE}_server" -config server.conf
@ -80,6 +97,14 @@ openssl x509 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial
 openssl req -new -key serverKey.pem -out serverNoSAN.csr -subj "/CN=localhost" -config server_no_san.conf
 openssl x509 -req -in serverNoSAN.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCertNoSAN.pem -days 100000 -extensions v3_req -extfile server_no_san.conf

+# Create a server certiticate with SHA1 signature signed by OK intermediate CA
+openssl req -new -key serverKey.pem -out serverSHA1.csr -subj "/CN=localhost" -config server.conf
+openssl x509 -sha1 -req -in serverSHA1.csr -CA caCertInter.pem -CAkey caKeyInter.pem -CAcreateserial -out sha1ServerCertInter.pem -days 100000 -extensions v3_req -extfile server.conf
+
+# Create a server certiticate signed by SHA1-signed intermediate CA
+openssl req -new -key serverKey.pem -out serverInterSHA1.csr -subj "/CN=localhost" -config server.conf
+openssl x509 -req -in serverInterSHA1.csr -CA caCertInterSHA1.pem -CAkey caKeyInter.pem -CAcreateserial -out serverCertInterSHA1.pem -days 100000 -extensions v3_req -extfile server.conf
+
 # Create a client certiticate
 openssl genrsa -out clientKey.pem 2048
 openssl req -new -key clientKey.pem -out client.csr -subj "/CN=${CN_BASE}_client" -config client.conf
@ -110,7 +135,7 @@ limitations under the License.
 package webhook
 EOF

-for file in caKey caCert badCAKey badCACert serverKey serverCert serverCertNoSAN clientKey clientCert; do
+for file in caKey caCert badCAKey badCACert caCertInter caCertInterSHA1 serverKey serverCert serverCertNoSAN clientKey clientCert sha1ServerCertInter serverCertInterSHA1; do
 	data=$(cat ${file}.pem)
 	echo "" >> $outfile
 	echo "var $file = []byte(\`$data\`)" >> $outfile
--- a/vendor/k8s.io/apiserver/pkg/util/webhook/metrics.go
+++ b/vendor/k8s.io/apiserver/pkg/util/webhook/metrics.go
@ -34,6 +34,19 @@ var x509MissingSANCounter = metrics.NewCounter(
 	},
 )

+var x509InsecureSHA1Counter = metrics.NewCounter(
+	&metrics.CounterOpts{
+		Subsystem: "webhooks",
+		Namespace: "apiserver",
+		Name:      "x509_insecure_sha1_total",
+		Help: "Counts the number of requests to servers with insecure SHA1 signatures " +
+			"in their serving certificate OR the number of connection failures " +
+			"due to the insecure SHA1 signatures (either/or, based on the runtime environment)",
+		StabilityLevel: metrics.ALPHA,
+	},
+)
+
 func init() {
 	legacyregistry.MustRegister(x509MissingSANCounter)
+	legacyregistry.MustRegister(x509InsecureSHA1Counter)
 }
--- a/vendor/k8s.io/apiserver/pkg/util/webhook/webhook.go
+++ b/vendor/k8s.io/apiserver/pkg/util/webhook/webhook.go
@ -72,43 +72,23 @@ func DefaultShouldRetry(err error) bool {
 	return false
 }

-// NewGenericWebhook creates a new GenericWebhook from the provided kubeconfig file.
-func NewGenericWebhook(scheme *runtime.Scheme, codecFactory serializer.CodecFactory, kubeConfigFile string, groupVersions []schema.GroupVersion, retryBackoff wait.Backoff, customDial utilnet.DialFunc) (*GenericWebhook, error) {
-	return newGenericWebhook(scheme, codecFactory, kubeConfigFile, groupVersions, retryBackoff, defaultRequestTimeout, customDial)
-}
-
-func newGenericWebhook(scheme *runtime.Scheme, codecFactory serializer.CodecFactory, kubeConfigFile string, groupVersions []schema.GroupVersion, retryBackoff wait.Backoff, requestTimeout time.Duration, customDial utilnet.DialFunc) (*GenericWebhook, error) {
+// NewGenericWebhook creates a new GenericWebhook from the provided rest.Config.
+func NewGenericWebhook(scheme *runtime.Scheme, codecFactory serializer.CodecFactory, config *rest.Config, groupVersions []schema.GroupVersion, retryBackoff wait.Backoff) (*GenericWebhook, error) {
 	for _, groupVersion := range groupVersions {
 		if !scheme.IsVersionRegistered(groupVersion) {
 			return nil, fmt.Errorf("webhook plugin requires enabling extension resource: %s", groupVersion)
 		}
 	}

-	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
-	loadingRules.ExplicitPath = kubeConfigFile
-	loader := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{})
-
-	clientConfig, err := loader.ClientConfig()
-	if err != nil {
-		return nil, err
-	}
-
-	// Kubeconfigs can't set a timeout, this can only be set through a command line flag.
-	//
-	// https://github.com/kubernetes/client-go/blob/master/tools/clientcmd/overrides.go
-	//
-	// Set this to something reasonable so request to webhooks don't hang forever.
-	clientConfig.Timeout = requestTimeout
-
-	// Avoid client-side rate limiting talking to the webhook backend.
-	// Rate limiting should happen when deciding how many requests to serve.
-	clientConfig.QPS = -1
+	clientConfig := rest.CopyConfig(config)

 	codec := codecFactory.LegacyCodec(groupVersions...)
 	clientConfig.ContentConfig.NegotiatedSerializer = serializer.NegotiatedSerializerWrapper(runtime.SerializerInfo{Serializer: codec})

-	clientConfig.Dial = customDial
-	clientConfig.Wrap(x509metrics.NewMissingSANRoundTripperWrapperConstructor(x509MissingSANCounter))
+	clientConfig.Wrap(x509metrics.NewDeprecatedCertificateRoundTripperWrapperConstructor(
+		x509MissingSANCounter,
+		x509InsecureSHA1Counter,
+	))

 	restClient, err := rest.UnversionedRESTClientFor(clientConfig)
 	if err != nil {
@ -162,3 +142,29 @@ func WithExponentialBackoff(ctx context.Context, retryBackoff wait.Backoff, webh
 		return nil
 	}
 }
+
+func LoadKubeconfig(kubeConfigFile string, customDial utilnet.DialFunc) (*rest.Config, error) {
+	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
+	loadingRules.ExplicitPath = kubeConfigFile
+	loader := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, &clientcmd.ConfigOverrides{})
+
+	clientConfig, err := loader.ClientConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	clientConfig.Dial = customDial
+
+	// Kubeconfigs can't set a timeout, this can only be set through a command line flag.
+	//
+	// https://github.com/kubernetes/client-go/blob/master/tools/clientcmd/overrides.go
+	//
+	// Set this to something reasonable so request to webhooks don't hang forever.
+	clientConfig.Timeout = defaultRequestTimeout
+
+	// Avoid client-side rate limiting talking to the webhook backend.
+	// Rate limiting should happen when deciding how many requests to serve.
+	clientConfig.QPS = -1
+
+	return clientConfig, nil
+}
--- a/vendor/k8s.io/apiserver/pkg/util/x509metrics/missing_san.go
+++ b/vendor/k8s.io/apiserver/pkg/util/x509metrics/missing_san.go
@ -1,92 +0,0 @@
-/*
-Copyright 2020 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package x509metrics
-
-import (
-	"crypto/x509"
-	"errors"
-	"net/http"
-	"strings"
-
-	utilnet "k8s.io/apimachinery/pkg/util/net"
-	"k8s.io/component-base/metrics"
-)
-
-var _ utilnet.RoundTripperWrapper = &x509MissingSANErrorMetricsRTWrapper{}
-
-type x509MissingSANErrorMetricsRTWrapper struct {
-	rt http.RoundTripper
-
-	counter *metrics.Counter
-}
-
-// NewMissingSANRoundTripperWrapperConstructor returns a RoundTripper wrapper that's usable
-// within ClientConfig.Wrap that increases the `metricCounter` whenever:
-// 1. we get a x509.HostnameError with string `x509: certificate relies on legacy Common Name field`
-//    which indicates an error caused by the deprecation of Common Name field when veryfing remote
-//    hostname
-// 2. the server certificate in response contains no SAN. This indicates that this binary run
-//    with the GODEBUG=x509ignoreCN=0 in env
-func NewMissingSANRoundTripperWrapperConstructor(metricCounter *metrics.Counter) func(rt http.RoundTripper) http.RoundTripper {
-	return func(rt http.RoundTripper) http.RoundTripper {
-		return &x509MissingSANErrorMetricsRTWrapper{
-			rt:      rt,
-			counter: metricCounter,
-		}
-	}
-}
-
-func (w *x509MissingSANErrorMetricsRTWrapper) RoundTrip(req *http.Request) (*http.Response, error) {
-	resp, err := w.rt.RoundTrip(req)
-	checkForHostnameError(err, w.counter)
-	checkRespForNoSAN(resp, w.counter)
-	return resp, err
-}
-
-func (w *x509MissingSANErrorMetricsRTWrapper) WrappedRoundTripper() http.RoundTripper {
-	return w.rt
-}
-
-// checkForHostnameError increases the metricCounter when we're running w/o GODEBUG=x509ignoreCN=0
-// and the client reports a HostnameError about the legacy CN fields
-func checkForHostnameError(err error, metricCounter *metrics.Counter) {
-	if err != nil && errors.As(err, &x509.HostnameError{}) && strings.Contains(err.Error(), "x509: certificate relies on legacy Common Name field") {
-		// increase the count of registered failures due to Go 1.15 x509 cert Common Name deprecation
-		metricCounter.Inc()
-	}
-}
-
-// checkRespForNoSAN increases the metricCounter when the server response contains
-// a leaf certificate w/o the SAN extension
-func checkRespForNoSAN(resp *http.Response, metricCounter *metrics.Counter) {
-	if resp != nil && resp.TLS != nil && len(resp.TLS.PeerCertificates) > 0 {
-		if serverCert := resp.TLS.PeerCertificates[0]; !hasSAN(serverCert) {
-			metricCounter.Inc()
-		}
-	}
-}
-
-func hasSAN(c *x509.Certificate) bool {
-	sanOID := []int{2, 5, 29, 17}
-
-	for _, e := range c.Extensions {
-		if e.Id.Equal(sanOID) {
-			return true
-		}
-	}
-	return false
-}
--- a/vendor/k8s.io/apiserver/pkg/util/x509metrics/server_cert_deprecations.go
+++ b/vendor/k8s.io/apiserver/pkg/util/x509metrics/server_cert_deprecations.go
@ -0,0 +1,225 @@
+/*
+Copyright 2020 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package x509metrics
+
+import (
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"net/http"
+	"reflect"
+	"strings"
+
+	utilnet "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/apiserver/pkg/audit"
+	"k8s.io/component-base/metrics"
+	"k8s.io/klog/v2"
+)
+
+var _ utilnet.RoundTripperWrapper = &x509DeprecatedCertificateMetricsRTWrapper{}
+
+type x509DeprecatedCertificateMetricsRTWrapper struct {
+	rt http.RoundTripper
+
+	checkers []deprecatedCertificateAttributeChecker
+}
+
+type deprecatedCertificateAttributeChecker interface {
+	// CheckRoundTripError returns true if the err is an error specific
+	// to this deprecated certificate attribute
+	CheckRoundTripError(err error) bool
+	// CheckPeerCertificates returns true if the deprecated attribute/value pair
+	// was found in a given certificate in the http.Response.TLS.PeerCertificates bundle
+	CheckPeerCertificates(certs []*x509.Certificate) bool
+	// IncreaseCounter increases the counter internal to this interface
+	// Use the req to derive and log information useful for troubleshooting the certificate issue
+	IncreaseMetricsCounter(req *http.Request)
+}
+
+// counterRaiser is a helper structure to include in certificate deprecation checkers.
+// It implements the IncreaseMetricsCounter() method so that, when included in the checker,
+// it does not have to be reimplemented.
+type counterRaiser struct {
+	counter *metrics.Counter
+	// programmatic id used in log and audit annotations prefixes
+	id string
+	// human readable explanation
+	reason string
+}
+
+func (c *counterRaiser) IncreaseMetricsCounter(req *http.Request) {
+	if req != nil && req.URL != nil {
+		if hostname := req.URL.Hostname(); len(hostname) > 0 {
+			prefix := fmt.Sprintf("%s.invalid-cert.kubernetes.io", c.id)
+			klog.Infof("%s: invalid certificate detected connecting to %q: %s", prefix, hostname, c.reason)
+			audit.AddAuditAnnotation(req.Context(), prefix+"/"+hostname, c.reason)
+		}
+	}
+	c.counter.Inc()
+}
+
+// NewDeprecatedCertificateRoundTripperWrapperConstructor returns a RoundTripper wrapper that's usable within ClientConfig.Wrap.
+//
+// It increases the `missingSAN` counter whenever:
+// 1. we get a x509.HostnameError with string `x509: certificate relies on legacy Common Name field`
+//    which indicates an error caused by the deprecation of Common Name field when veryfing remote
+//    hostname
+// 2. the server certificate in response contains no SAN. This indicates that this binary run
+//    with the GODEBUG=x509ignoreCN=0 in env
+//
+// It increases the `sha1` counter whenever:
+// 1. we get a x509.InsecureAlgorithmError with string `SHA1`
+//    which indicates an error caused by an insecure SHA1 signature
+// 2. the server certificate in response contains a SHA1WithRSA or ECDSAWithSHA1 signature.
+//    This indicates that this binary run with the GODEBUG=x509sha1=1 in env
+func NewDeprecatedCertificateRoundTripperWrapperConstructor(missingSAN, sha1 *metrics.Counter) func(rt http.RoundTripper) http.RoundTripper {
+	return func(rt http.RoundTripper) http.RoundTripper {
+		return &x509DeprecatedCertificateMetricsRTWrapper{
+			rt: rt,
+			checkers: []deprecatedCertificateAttributeChecker{
+				NewSANDeprecatedChecker(missingSAN),
+				NewSHA1SignatureDeprecatedChecker(sha1),
+			},
+		}
+	}
+}
+
+func (w *x509DeprecatedCertificateMetricsRTWrapper) RoundTrip(req *http.Request) (*http.Response, error) {
+	resp, err := w.rt.RoundTrip(req)
+
+	if err != nil {
+		for _, checker := range w.checkers {
+			if checker.CheckRoundTripError(err) {
+				checker.IncreaseMetricsCounter(req)
+			}
+		}
+	} else if resp != nil {
+		if resp.TLS != nil && len(resp.TLS.PeerCertificates) > 0 {
+			for _, checker := range w.checkers {
+				if checker.CheckPeerCertificates(resp.TLS.PeerCertificates) {
+					checker.IncreaseMetricsCounter(req)
+				}
+			}
+		}
+	}
+
+	return resp, err
+}
+
+func (w *x509DeprecatedCertificateMetricsRTWrapper) WrappedRoundTripper() http.RoundTripper {
+	return w.rt
+}
+
+var _ deprecatedCertificateAttributeChecker = &missingSANChecker{}
+
+type missingSANChecker struct {
+	counterRaiser
+}
+
+func NewSANDeprecatedChecker(counter *metrics.Counter) *missingSANChecker {
+	return &missingSANChecker{
+		counterRaiser: counterRaiser{
+			counter: counter,
+			id:      "missing-san",
+			reason:  "relies on a legacy Common Name field instead of the SAN extension for subject validation",
+		},
+	}
+}
+
+// CheckRoundTripError returns true when we're running w/o GODEBUG=x509ignoreCN=0
+// and the client reports a HostnameError about the legacy CN fields
+func (c *missingSANChecker) CheckRoundTripError(err error) bool {
+	if err != nil && errors.As(err, &x509.HostnameError{}) && strings.Contains(err.Error(), "x509: certificate relies on legacy Common Name field") {
+		// increase the count of registered failures due to Go 1.15 x509 cert Common Name deprecation
+		return true
+	}
+
+	return false
+}
+
+// CheckPeerCertificates returns true when the server response contains
+// a leaf certificate w/o the SAN extension
+func (c *missingSANChecker) CheckPeerCertificates(peerCertificates []*x509.Certificate) bool {
+	if len(peerCertificates) > 0 {
+		if serverCert := peerCertificates[0]; !hasSAN(serverCert) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func hasSAN(c *x509.Certificate) bool {
+	sanOID := []int{2, 5, 29, 17}
+
+	for _, e := range c.Extensions {
+		if e.Id.Equal(sanOID) {
+			return true
+		}
+	}
+	return false
+}
+
+type sha1SignatureChecker struct {
+	*counterRaiser
+}
+
+func NewSHA1SignatureDeprecatedChecker(counter *metrics.Counter) *sha1SignatureChecker {
+	return &sha1SignatureChecker{
+		counterRaiser: &counterRaiser{
+			counter: counter,
+			id:      "insecure-sha1",
+			reason:  "uses an insecure SHA-1 signature",
+		},
+	}
+}
+
+// CheckRoundTripError returns true when we're running w/o GODEBUG=x509sha1=1
+// and the client reports an InsecureAlgorithmError about a SHA1 signature
+func (c *sha1SignatureChecker) CheckRoundTripError(err error) bool {
+	var unknownAuthorityError x509.UnknownAuthorityError
+	if err == nil {
+		return false
+	}
+	if !errors.As(err, &unknownAuthorityError) {
+		return false
+	}
+
+	errMsg := err.Error()
+	if strIdx := strings.Index(errMsg, "x509: cannot verify signature: insecure algorithm"); strIdx != -1 && strings.Contains(errMsg[strIdx:], "SHA1") {
+		// increase the count of registered failures due to Go 1.18 x509 sha1 signature deprecation
+		return true
+	}
+
+	return false
+}
+
+// CheckPeerCertificates returns true when the server response contains
+// a non-root non-self-signed  certificate with a deprecated SHA1 signature
+func (c *sha1SignatureChecker) CheckPeerCertificates(peerCertificates []*x509.Certificate) bool {
+	// check all received non-self-signed certificates for deprecated signing algorithms
+	for _, cert := range peerCertificates {
+		if cert.SignatureAlgorithm == x509.SHA1WithRSA || cert.SignatureAlgorithm == x509.ECDSAWithSHA1 {
+			// the SHA-1 deprecation does not involve self-signed root certificates
+			if !reflect.DeepEqual(cert.Issuer, cert.Subject) {
+				return true
+			}
+		}
+	}
+
+	return false
+}