From 5922056a7544ca149d175478a0f59a8d2e3fa2a9 Mon Sep 17 00:00:00 2001 From: andyzhangx Date: Fri, 19 Jul 2024 09:00:51 +0000 Subject: [PATCH] fix: CVE-2024-5321 --- go.mod | 80 ++++----- go.sum | 64 +++---- .../pkg/storage/cacher/watch_cache.go | 10 +- .../pkg/storage/etcd3/metrics/metrics.go | 12 +- .../kubernetes/pkg/securitycontext/util.go | 3 +- .../pkg/util/filesystem/defaultfs.go | 5 +- .../pkg/util/filesystem/util_unix.go | 10 ++ .../pkg/util/filesystem/util_windows.go | 156 ++++++++++++++++++ .../k8s.io/kubernetes/pkg/volume/plugins.go | 2 +- .../test/e2e/storage/utils/create.go | 4 + .../storage-csi/external-attacher/rbac.yaml | 4 +- .../rbac.yaml | 4 +- .../external-provisioner/rbac.yaml | 14 +- .../storage-csi/external-resizer/rbac.yaml | 10 +- .../csi-snapshotter/rbac-csi-snapshotter.yaml | 20 ++- .../storage-csi/hostpath/README.md | 2 +- .../hostpath/csi-hostpath-driverinfo.yaml | 3 + .../hostpath/csi-hostpath-plugin.yaml | 20 ++- .../hostpath/csi-hostpath-testing.yaml | 6 +- .../mock/csi-mock-driver-attacher.yaml | 2 +- .../mock/csi-mock-driver-resizer.yaml | 2 +- .../mock/csi-mock-driver-snapshotter.yaml | 2 +- .../storage-csi/mock/csi-mock-driver.yaml | 6 +- .../storage-csi/mock/csi-mock-proxy.yaml | 6 +- .../storage-csi/update-hostpath.sh | 2 +- .../kubernetes/test/utils/image/manifest.go | 2 +- vendor/modules.txt | 88 +++++----- 27 files changed, 369 insertions(+), 170 deletions(-) diff --git a/go.mod b/go.mod index fa19acb08..097bdee38 100644 --- a/go.mod +++ b/go.mod @@ -29,13 +29,13 @@ require ( golang.org/x/net v0.27.0 google.golang.org/grpc v1.65.0 google.golang.org/protobuf v1.34.2 - k8s.io/api v0.29.4 - k8s.io/apimachinery v0.29.4 - k8s.io/client-go v0.29.4 - k8s.io/component-base v0.29.4 + k8s.io/api v0.29.7 + k8s.io/apimachinery v0.29.7 + k8s.io/client-go v0.29.7 + k8s.io/component-base v0.29.7 k8s.io/klog/v2 v2.120.1 - k8s.io/kubernetes v1.29.4 - k8s.io/mount-utils v0.29.4 + k8s.io/kubernetes v1.29.7 + k8s.io/mount-utils v0.29.7 k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 sigs.k8s.io/cloud-provider-azure v1.27.1-0.20240418020948-86cfc443b48c sigs.k8s.io/cloud-provider-azure/pkg/azclient/configloader v0.0.4 @@ -144,15 +144,15 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.0.0 // indirect - k8s.io/apiserver v0.29.4 + k8s.io/apiserver v0.29.7 k8s.io/cloud-provider v0.29.3 // indirect - k8s.io/component-helpers v0.29.4 // indirect - k8s.io/controller-manager v0.29.4 // indirect - k8s.io/kms v0.29.4 // indirect + k8s.io/component-helpers v0.29.7 // indirect + k8s.io/controller-manager v0.29.7 // indirect + k8s.io/kms v0.29.7 // indirect k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect k8s.io/kubectl v0.0.0 // indirect k8s.io/kubelet v0.29.3 // indirect - k8s.io/pod-security-admission v0.29.4 + k8s.io/pod-security-admission v0.29.7 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 // indirect sigs.k8s.io/cloud-provider-azure/pkg/azclient v0.0.31 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect @@ -169,33 +169,33 @@ require ( ) replace ( - k8s.io/api => k8s.io/api v0.29.4 - k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.29.4 - k8s.io/apimachinery => k8s.io/apimachinery v0.29.4 - k8s.io/apiserver => k8s.io/apiserver v0.29.4 - k8s.io/cli-runtime => k8s.io/cli-runtime v0.29.4 - k8s.io/client-go => k8s.io/client-go v0.29.4 - k8s.io/cloud-provider => k8s.io/cloud-provider v0.29.4 - k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.29.4 - k8s.io/code-generator => k8s.io/code-generator v0.29.4 - k8s.io/component-base => k8s.io/component-base v0.29.4 - k8s.io/component-helpers => k8s.io/component-helpers v0.29.4 - k8s.io/controller-manager => k8s.io/controller-manager v0.29.4 - k8s.io/cri-api => k8s.io/cri-api v0.29.4 - k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.29.4 - k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.29.4 - k8s.io/endpointslice => k8s.io/endpointslice v0.29.4 - k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.29.4 - k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.29.4 - k8s.io/kube-proxy => k8s.io/kube-proxy v0.29.4 - k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.29.4 - k8s.io/kubectl => k8s.io/kubectl v0.29.4 - k8s.io/kubelet => k8s.io/kubelet v0.29.4 - k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.29.4 - k8s.io/metrics => k8s.io/metrics v0.29.4 - k8s.io/mount-utils => k8s.io/mount-utils v0.29.4 - k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.29.4 - k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.29.4 - k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.29.4 - k8s.io/sample-controller => k8s.io/sample-controller v0.29.4 + k8s.io/api => k8s.io/api v0.29.7 + k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.29.7 + k8s.io/apimachinery => k8s.io/apimachinery v0.29.7 + k8s.io/apiserver => k8s.io/apiserver v0.29.7 + k8s.io/cli-runtime => k8s.io/cli-runtime v0.29.7 + k8s.io/client-go => k8s.io/client-go v0.29.7 + k8s.io/cloud-provider => k8s.io/cloud-provider v0.29.7 + k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.29.7 + k8s.io/code-generator => k8s.io/code-generator v0.29.7 + k8s.io/component-base => k8s.io/component-base v0.29.7 + k8s.io/component-helpers => k8s.io/component-helpers v0.29.7 + k8s.io/controller-manager => k8s.io/controller-manager v0.29.7 + k8s.io/cri-api => k8s.io/cri-api v0.29.7 + k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.29.7 + k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.29.7 + k8s.io/endpointslice => k8s.io/endpointslice v0.29.7 + k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.29.7 + k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.29.7 + k8s.io/kube-proxy => k8s.io/kube-proxy v0.29.7 + k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.29.7 + k8s.io/kubectl => k8s.io/kubectl v0.29.7 + k8s.io/kubelet => k8s.io/kubelet v0.29.7 + k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.29.7 + k8s.io/metrics => k8s.io/metrics v0.29.7 + k8s.io/mount-utils => k8s.io/mount-utils v0.29.7 + k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.29.7 + k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.29.7 + k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.29.7 + k8s.io/sample-controller => k8s.io/sample-controller v0.29.7 ) diff --git a/go.sum b/go.sum index c4723ab94..06fe142f0 100644 --- a/go.sum +++ b/go.sum @@ -421,42 +421,42 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.29.4 h1:WEnF/XdxuCxdG3ayHNRR8yH3cI1B/llkWBma6bq4R3w= -k8s.io/api v0.29.4/go.mod h1:DetSv0t4FBTcEpfA84NJV3g9a7+rSzlUHk5ADAYHUv0= -k8s.io/apiextensions-apiserver v0.29.4 h1:M7hbuHU/ckbibR7yPbe6DyNWgTFKNmZDbdZKD8q1Smk= -k8s.io/apiextensions-apiserver v0.29.4/go.mod h1:TTDC9fB+0kHY2rogf5hgBR03KBKCwED+GHUsXGpR7SM= -k8s.io/apimachinery v0.29.4 h1:RaFdJiDmuKs/8cm1M6Dh1Kvyh59YQFDcFuFTSmXes6Q= -k8s.io/apimachinery v0.29.4/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y= -k8s.io/apiserver v0.29.4 h1:wPwGOO58GQOpRiZu59P5eRoDcB7QtV+QBglkRiXwCiM= -k8s.io/apiserver v0.29.4/go.mod h1:VqTF9t98HVfhKZVRohCPezsdUt9u2g3bHKftxGcXoRo= -k8s.io/client-go v0.29.4 h1:79ytIedxVfyXV8rpH3jCBW0u+un0fxHDwX5F9K8dPR8= -k8s.io/client-go v0.29.4/go.mod h1:kC1thZQ4zQWYwldsfI088BbK6RkxK+aF5ebV8y9Q4tk= -k8s.io/cloud-provider v0.29.4 h1:XRKl818NKQWan4UZ7fXFAkEJLJkBFq5sQROrbLbryM4= -k8s.io/cloud-provider v0.29.4/go.mod h1:sC7wyt5z5IRoNuU9JhEuMdRnhDEz6cWAJCyMcNUH9X8= -k8s.io/component-base v0.29.4 h1:xeKzuuHI/1tjleu5jycDAcYbhAxeGHCQBZUY2eRIkOo= -k8s.io/component-base v0.29.4/go.mod h1:pYjt+oEZP9gtmwSikwAJgfSBikqKX2gOqRat0QjmQt0= -k8s.io/component-helpers v0.29.4 h1:lbVFhywtv64KlaIYTKszkHaFAqwCjNn7xyRTeWorzfI= -k8s.io/component-helpers v0.29.4/go.mod h1:rMOVMGYEju7/GKMV0USfYAYJBIQdxlMMN1VFl/Mf2so= -k8s.io/controller-manager v0.29.4 h1:rzEwLboRTXBZhYUY02nNhORHQlcXGDE3EPS2IZRd0cg= -k8s.io/controller-manager v0.29.4/go.mod h1:XG6oraSxieDl6XBdO2HnkA6DwEfoCKS3OCpqO4Xb0zU= -k8s.io/csi-translation-lib v0.29.4 h1:ad0SlFsd0iB3PyXiAVVN4KxsTqgmPEHQyYGbJVQP1rA= -k8s.io/csi-translation-lib v0.29.4/go.mod h1:xdLMENgzc213O3qba2fWYPgBv3JiPqRfjsRanu2Te64= +k8s.io/api v0.29.7 h1:Q2/thp7YYESgy0MGzxT9RvA/6doLJHBXSFH8GGLxSbc= +k8s.io/api v0.29.7/go.mod h1:mPimdbyuIjwoLtBEVIGVUYb4BKOE+44XHt/n4IqKsLA= +k8s.io/apiextensions-apiserver v0.29.7 h1:X62u7vUGfwW5rYJB5jkZDr0uV2XSyEHJRdxnfD5PaLs= +k8s.io/apiextensions-apiserver v0.29.7/go.mod h1:JzBXxlZKKdtEYGr4yiN+s0eXheCTYgKDay8JXPfSGoQ= +k8s.io/apimachinery v0.29.7 h1:ICXzya58Q7hyEEfnTrbmdfX1n1schSepX2KUfC2/ykc= +k8s.io/apimachinery v0.29.7/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y= +k8s.io/apiserver v0.29.7 h1:yvdZAZJ6Bmih8Iu8CqUB74otyPP0OM3XKzYzAFiWsY4= +k8s.io/apiserver v0.29.7/go.mod h1:MjEld3ySZrQ4eOzf6OKANT/v8GvM3sb1e5vozXoIirs= +k8s.io/client-go v0.29.7 h1:vTtiFrGBKlcBhxaeZC4eDrqui1e108nsTyue/KU63IY= +k8s.io/client-go v0.29.7/go.mod h1:69BvVqdRozgR/9TP45u/oO0tfrdbP+I8RqrcCJQshzg= +k8s.io/cloud-provider v0.29.7 h1:FqUe1KhLVy+4vPBE4M4IxNO63mBKbStxSUoSq2Xo/Ow= +k8s.io/cloud-provider v0.29.7/go.mod h1:wtAdRffIlqraPEgsSi3e+sBO+o1WHHCnndGaG2VDlhc= +k8s.io/component-base v0.29.7 h1:zXLJvZjvvDWdYmZCwZYk95E1Fd2oRXUz71mQukkRk5I= +k8s.io/component-base v0.29.7/go.mod h1:ddLTpIrjazaRI1EG83M41GNcYEAdskuQmx4JOOSXCOg= +k8s.io/component-helpers v0.29.7 h1:zLFeGg/Ab6QRC69xv08Syfnzc9ghgccp0gr5okb/r6M= +k8s.io/component-helpers v0.29.7/go.mod h1:fBB9g4OrGCxo2+px6+kU4BPQ56WnBbL8n2NY6jIaMNY= +k8s.io/controller-manager v0.29.7 h1:8FC9kQAm+BUTrAKyCS2uOaTXBytV3eEOIREfrFxaCjo= +k8s.io/controller-manager v0.29.7/go.mod h1:lAua8GONLnkPAHPSzU0POmvHLhsKeHbjHnVtEQPfUno= +k8s.io/csi-translation-lib v0.29.7 h1:6z1iFhTmVMK9mebK2eodvDCKv3bfL0OFu5z2C8YNvMI= +k8s.io/csi-translation-lib v0.29.7/go.mod h1:+5ZOwRS5LUQOghtqv6QWWmadixbm697xNHZC318oVf4= k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/kms v0.29.4 h1:cFGEoCLwoXk/eqYZppLZxybCdmEWeRKMCbm9f13IdRQ= -k8s.io/kms v0.29.4/go.mod h1:vWVImKkJd+1BQY4tBwdfSwjQBiLrnbNtHADcDEDQFtk= +k8s.io/kms v0.29.7 h1:4ELQdx7T4EPKbN/QMj6SeZizrEKapza5YF8e5XtZPv0= +k8s.io/kms v0.29.7/go.mod h1:vWVImKkJd+1BQY4tBwdfSwjQBiLrnbNtHADcDEDQFtk= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= -k8s.io/kubectl v0.29.4 h1:2LFrAznoDZjN8JFMSUcuhER5o+yjTLzWWbOiDzVjmd8= -k8s.io/kubectl v0.29.4/go.mod h1:YTKRF9y1/ccqZ2bnpOWaJD8V7johKqZR/qOMq+0pfxU= -k8s.io/kubelet v0.29.4 h1:6fTt4sTd5xqTtIhVoS7PkiFUBevQsyu3ZmENVvwY62M= -k8s.io/kubelet v0.29.4/go.mod h1:lAu6Z17pxKwgM+9hsgGkqFjYTOhbc0dnZ6GNnlbjYW0= -k8s.io/kubernetes v1.29.4 h1:n4VCbX9cUhxHI+zw+m2iZlzT73/mrEJBHIMeauh9g4U= -k8s.io/kubernetes v1.29.4/go.mod h1:28sDhcb87LX5z3GWAKYmLrhrifxi4W9bEWua4DRTIvk= -k8s.io/mount-utils v0.29.4 h1:tW/URea4gtXlaVW7VObr52NQhS+z3SXTg1GUaFZjRL4= -k8s.io/mount-utils v0.29.4/go.mod h1:SHUMR9n3b6tLgEmlyT36cL6fV6Sjwa5CJhc0guCXvb0= -k8s.io/pod-security-admission v0.29.4 h1:XatfG2zbye9SRaHQhE7EdiIu462ak3TctnkvdrUVk7I= -k8s.io/pod-security-admission v0.29.4/go.mod h1:PNErt3eRnzVx2zxIdYmgk7vBos5Qm4c8U5QXKvXFfxQ= +k8s.io/kubectl v0.29.7 h1:D+Jheug9M++zlt67cROZgxaIjrDdLqp9jkW/EYrXAoM= +k8s.io/kubectl v0.29.7/go.mod h1:VOEJkcfKTO/X8xSSB6d2JXP/Qni6xtjuI3CUP52T9bM= +k8s.io/kubelet v0.29.7 h1:YapoCGXAXRLCuRaEmCaHIbM6Ogw6dipRU+6ijMU+weo= +k8s.io/kubelet v0.29.7/go.mod h1:6cnRnEhVk4WvZC1bsegIgxhluMHa/c0Php+1bWJabLQ= +k8s.io/kubernetes v1.29.7 h1:cC7YHkNIbHJ6kxjeN6cLZDU4wFxuymyB89NZl3rKI3Y= +k8s.io/kubernetes v1.29.7/go.mod h1:28sDhcb87LX5z3GWAKYmLrhrifxi4W9bEWua4DRTIvk= +k8s.io/mount-utils v0.29.7 h1:M0LA8Tx8HtpwBy24fajiUsaklIiNi1tNrHpROxX4bLI= +k8s.io/mount-utils v0.29.7/go.mod h1:SHUMR9n3b6tLgEmlyT36cL6fV6Sjwa5CJhc0guCXvb0= +k8s.io/pod-security-admission v0.29.7 h1:GeL63bPR29TTmc9T9RNDR86Xi0gg0+jcISf+O+oIJDw= +k8s.io/pod-security-admission v0.29.7/go.mod h1:2fZW4VgBjir4qas3JB13uZDpxvJM1n9zkKRfY6p89fI= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 h1:pUdcCO1Lk/tbT5ztQWOBi5HBgbBP1J8+AsQnQCKsi8A= k8s.io/utils v0.0.0-20240711033017-18e509b52bc8/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.0 h1:TgtAeesdhpm2SGwkQasmbeqDo8th5wOBA5h/AjTKA4I= diff --git a/vendor/k8s.io/apiserver/pkg/storage/cacher/watch_cache.go b/vendor/k8s.io/apiserver/pkg/storage/cacher/watch_cache.go index c26eb55da..c27ca053b 100644 --- a/vendor/k8s.io/apiserver/pkg/storage/cacher/watch_cache.go +++ b/vendor/k8s.io/apiserver/pkg/storage/cacher/watch_cache.go @@ -492,8 +492,7 @@ func (s sortableStoreElements) Swap(i, j int) { // WaitUntilFreshAndList returns list of pointers to `storeElement` objects along // with their ResourceVersion and the name of the index, if any, that was used. -func (w *watchCache) WaitUntilFreshAndList(ctx context.Context, resourceVersion uint64, matchValues []storage.MatchValue) ([]interface{}, uint64, string, error) { - var err error +func (w *watchCache) WaitUntilFreshAndList(ctx context.Context, resourceVersion uint64, matchValues []storage.MatchValue) (result []interface{}, rv uint64, index string, err error) { if utilfeature.DefaultFeatureGate.Enabled(features.ConsistentListFromCache) && w.notFresh(resourceVersion) { w.waitingUntilFresh.Add() err = w.waitUntilFreshAndBlock(ctx, resourceVersion) @@ -501,12 +500,14 @@ func (w *watchCache) WaitUntilFreshAndList(ctx context.Context, resourceVersion } else { err = w.waitUntilFreshAndBlock(ctx, resourceVersion) } + + defer func() { sort.Sort(sortableStoreElements(result)) }() defer w.RUnlock() if err != nil { - return nil, 0, "", err + return result, rv, index, err } - result, rv, index, err := func() ([]interface{}, uint64, string, error) { + result, rv, index, err = func() ([]interface{}, uint64, string, error) { // This isn't the place where we do "final filtering" - only some "prefiltering" is happening here. So the only // requirement here is to NOT miss anything that should be returned. We can return as many non-matching items as we // want - they will be filtered out later. The fact that we return less things is only further performance improvement. @@ -519,7 +520,6 @@ func (w *watchCache) WaitUntilFreshAndList(ctx context.Context, resourceVersion return w.store.List(), w.resourceVersion, "", nil }() - sort.Sort(sortableStoreElements(result)) return result, rv, index, err } diff --git a/vendor/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go b/vendor/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go index fadc87d53..1c0307bd9 100644 --- a/vendor/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go +++ b/vendor/k8s.io/apiserver/pkg/storage/etcd3/metrics/metrics.go @@ -84,7 +84,7 @@ var ( }, []string{"endpoint"}, ) - storageSizeDescription = compbasemetrics.NewDesc("apiserver_storage_size_bytes", "Size of the storage database file physically allocated in bytes.", []string{"cluster"}, nil, compbasemetrics.ALPHA, "") + storageSizeDescription = compbasemetrics.NewDesc("apiserver_storage_size_bytes", "Size of the storage database file physically allocated in bytes.", []string{"storage_cluster_id"}, nil, compbasemetrics.ALPHA, "") storageMonitor = &monitorCollector{monitorGetter: func() ([]Monitor, error) { return nil, nil }} etcdEventsReceivedCounts = compbasemetrics.NewCounterVec( &compbasemetrics.CounterOpts{ @@ -287,21 +287,21 @@ func (c *monitorCollector) CollectWithStability(ch chan<- compbasemetrics.Metric } for i, m := range monitors { - cluster := fmt.Sprintf("etcd-%d", i) + storageClusterID := fmt.Sprintf("etcd-%d", i) - klog.V(4).InfoS("Start collecting storage metrics", "cluster", cluster) + klog.V(4).InfoS("Start collecting storage metrics", "storage_cluster_id", storageClusterID) ctx, cancel := context.WithTimeout(context.Background(), time.Second) metrics, err := m.Monitor(ctx) cancel() m.Close() if err != nil { - klog.InfoS("Failed to get storage metrics", "cluster", cluster, "err", err) + klog.InfoS("Failed to get storage metrics", "storage_cluster_id", storageClusterID, "err", err) continue } - metric, err := compbasemetrics.NewConstMetric(storageSizeDescription, compbasemetrics.GaugeValue, float64(metrics.Size), cluster) + metric, err := compbasemetrics.NewConstMetric(storageSizeDescription, compbasemetrics.GaugeValue, float64(metrics.Size), storageClusterID) if err != nil { - klog.ErrorS(err, "Failed to create metric", "cluster", cluster) + klog.ErrorS(err, "Failed to create metric", "storage_cluster_id", storageClusterID) } ch <- metric } diff --git a/vendor/k8s.io/kubernetes/pkg/securitycontext/util.go b/vendor/k8s.io/kubernetes/pkg/securitycontext/util.go index 5895df0c7..28771b6df 100644 --- a/vendor/k8s.io/kubernetes/pkg/securitycontext/util.go +++ b/vendor/k8s.io/kubernetes/pkg/securitycontext/util.go @@ -188,7 +188,7 @@ func AddNoNewPrivileges(sc *v1.SecurityContext) bool { var ( // These *must* be kept in sync with moby/moby. - // https://github.com/moby/moby/blob/master/oci/defaults.go#L105-L123 + // https://github.com/moby/moby/blob/master/oci/defaults.go#L105-L124 // @jessfraz will watch changes to those files upstream. defaultMaskedPaths = []string{ "/proc/asound", @@ -201,6 +201,7 @@ var ( "/proc/sched_debug", "/proc/scsi", "/sys/firmware", + "/sys/devices/virtual/powercap", } defaultReadonlyPaths = []string{ "/proc/bus", diff --git a/vendor/k8s.io/kubernetes/pkg/util/filesystem/defaultfs.go b/vendor/k8s.io/kubernetes/pkg/util/filesystem/defaultfs.go index 39673a958..ef99bd3bc 100644 --- a/vendor/k8s.io/kubernetes/pkg/util/filesystem/defaultfs.go +++ b/vendor/k8s.io/kubernetes/pkg/util/filesystem/defaultfs.go @@ -72,9 +72,8 @@ func (fs *DefaultFs) Rename(oldpath, newpath string) error { return os.Rename(oldpath, newpath) } -// MkdirAll via os.MkdirAll func (fs *DefaultFs) MkdirAll(path string, perm os.FileMode) error { - return os.MkdirAll(fs.prefix(path), perm) + return MkdirAll(fs.prefix(path), perm) } // MkdirAllWithPathCheck checks if path exists already. If not, it creates a directory @@ -97,7 +96,7 @@ func MkdirAllWithPathCheck(path string, perm os.FileMode) error { return fmt.Errorf("path %v exists but is not a directory", path) } // If existence of path not known, attempt to create it. - if err := os.MkdirAll(path, perm); err != nil { + if err := MkdirAll(path, perm); err != nil { return err } return nil diff --git a/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_unix.go b/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_unix.go index df887f945..07175cc10 100644 --- a/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_unix.go +++ b/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_unix.go @@ -35,3 +35,13 @@ func IsUnixDomainSocket(filePath string) (bool, error) { } return true, nil } + +// Chmod is the same as os.Chmod on Linux. +func Chmod(name string, mode os.FileMode) error { + return os.Chmod(name, mode) +} + +// MkdirAll is the same as os.MkdirAll on Linux. +func MkdirAll(path string, perm os.FileMode) error { + return os.MkdirAll(path, perm) +} diff --git a/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_windows.go b/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_windows.go index cd6a11ed3..2365e6e7d 100644 --- a/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_windows.go +++ b/vendor/k8s.io/kubernetes/pkg/util/filesystem/util_windows.go @@ -27,6 +27,8 @@ import ( "k8s.io/apimachinery/pkg/util/wait" "k8s.io/klog/v2" + + "golang.org/x/sys/windows" ) const ( @@ -85,3 +87,157 @@ func IsUnixDomainSocket(filePath string) (bool, error) { } return true, nil } + +// On Windows os.Mkdir all doesn't set any permissions so call the Chown function below to set +// permissions once the directory is created. +func MkdirAll(path string, perm os.FileMode) error { + klog.V(6).InfoS("Function MkdirAll starts", "path", path, "perm", perm) + err := os.MkdirAll(path, perm) + if err != nil { + return fmt.Errorf("Error creating directory %s: %v", path, err) + } + + err = Chmod(path, perm) + if err != nil { + return fmt.Errorf("Error setting permissions for directory %s: %v", path, err) + } + + return nil +} + +const ( + // These aren't defined in the syscall package for Windows :( + USER_READ = 0x100 + USER_WRITE = 0x80 + USER_EXECUTE = 0x40 + GROUP_READ = 0x20 + GROUP_WRITE = 0x10 + GROUP_EXECUTE = 0x8 + OTHERS_READ = 0x4 + OTHERS_WRITE = 0x2 + OTHERS_EXECUTE = 0x1 + USER_ALL = USER_READ | USER_WRITE | USER_EXECUTE + GROUP_ALL = GROUP_READ | GROUP_WRITE | GROUP_EXECUTE + OTHERS_ALL = OTHERS_READ | OTHERS_WRITE | OTHERS_EXECUTE +) + +// On Windows os.Chmod only sets the read-only flag on files, so we need to use Windows APIs to set the desired access on files / directories. +// The OWNER mode will set file permissions for the file owner SID, the GROUP mode will set file permissions for the file group SID, +// and the OTHERS mode will set file permissions for BUILTIN\Users. +// Please note that Windows containers can be run as one of two user accounts; ContainerUser or ContainerAdministrator. +// Containers run as ContainerAdministrator will inherit permissions from BUILTIN\Administrators, +// while containers run as ContainerUser will inherit permissions from BUILTIN\Users. +// Windows containers do not have the ability to run as a custom user account that is known to the host so the OTHERS group mode +// is used to grant / deny permissions of files on the hosts to the ContainerUser account. +func Chmod(path string, filemode os.FileMode) error { + klog.V(6).InfoS("Function Chmod starts", "path", path, "filemode", filemode) + // Get security descriptor for the file + sd, err := windows.GetNamedSecurityInfo( + path, + windows.SE_FILE_OBJECT, + windows.DACL_SECURITY_INFORMATION|windows.PROTECTED_DACL_SECURITY_INFORMATION|windows.OWNER_SECURITY_INFORMATION|windows.GROUP_SECURITY_INFORMATION) + if err != nil { + return fmt.Errorf("Error getting security descriptor for file %s: %v", path, err) + } + + // Get owner SID from the security descriptor for assigning USER permissions + owner, _, err := sd.Owner() + if err != nil { + return fmt.Errorf("Error getting owner SID for file %s: %v", path, err) + } + ownerString := owner.String() + + // Get the group SID from the security descriptor for assigning GROUP permissions + group, _, err := sd.Group() + if err != nil { + return fmt.Errorf("Error getting group SID for file %s: %v", path, err) + } + groupString := group.String() + + mask := uint32(windows.ACCESS_MASK(filemode)) + + // Build a new Discretionary Access Control List (DACL) with the desired permissions using + //the Security Descriptor Definition Language (SDDL) format. + // https://learn.microsoft.com/windows/win32/secauthz/security-descriptor-definition-language + // the DACL is a list of Access Control Entries (ACEs) where each ACE represents the permissions (Allow or Deny) for a specific SID. + // Each ACE has the following format: + // (AceType;AceFlags;Rights;ObjectGuid;InheritObjectGuid;AccountSid) + // We can leave ObjectGuid and InheritObjectGuid empty for our purposes. + + dacl := "D:" + + // build the owner ACE + dacl += "(A;OICI;" + if mask&USER_ALL == USER_ALL { + dacl += "FA" + } else { + if mask&USER_READ == USER_READ { + dacl += "FR" + } + if mask&USER_WRITE == USER_WRITE { + dacl += "FW" + } + if mask&USER_EXECUTE == USER_EXECUTE { + dacl += "FX" + } + } + dacl += ";;;" + ownerString + ")" + + // Build the group ACE + dacl += "(A;OICI;" + if mask&GROUP_ALL == GROUP_ALL { + dacl += "FA" + } else { + if mask&GROUP_READ == GROUP_READ { + dacl += "FR" + } + if mask&GROUP_WRITE == GROUP_WRITE { + dacl += "FW" + } + if mask&GROUP_EXECUTE == GROUP_EXECUTE { + dacl += "FX" + } + } + dacl += ";;;" + groupString + ")" + + // Build the others ACE + dacl += "(A;OICI;" + if mask&OTHERS_ALL == OTHERS_ALL { + dacl += "FA" + } else { + if mask&OTHERS_READ == OTHERS_READ { + dacl += "FR" + } + if mask&OTHERS_WRITE == OTHERS_WRITE { + dacl += "FW" + } + if mask&OTHERS_EXECUTE == OTHERS_EXECUTE { + dacl += "FX" + } + } + dacl += ";;;BU)" + + klog.V(6).InfoS("Setting new DACL for path", "path", path, "dacl", dacl) + + // create a new security descriptor from the DACL string + newSD, err := windows.SecurityDescriptorFromString(dacl) + if err != nil { + return fmt.Errorf("Error creating new security descriptor from DACL string: %v", err) + } + + // get the DACL in binary format from the newly created security descriptor + newDACL, _, err := newSD.DACL() + if err != nil { + return fmt.Errorf("Error getting DACL from new security descriptor: %v", err) + } + + // Write the new security descriptor to the file + return windows.SetNamedSecurityInfo( + path, + windows.SE_FILE_OBJECT, + windows.DACL_SECURITY_INFORMATION|windows.PROTECTED_DACL_SECURITY_INFORMATION, + nil, // owner SID + nil, // group SID + newDACL, + nil) // SACL +} diff --git a/vendor/k8s.io/kubernetes/pkg/volume/plugins.go b/vendor/k8s.io/kubernetes/pkg/volume/plugins.go index 6ce01755f..dcccb56f1 100644 --- a/vendor/k8s.io/kubernetes/pkg/volume/plugins.go +++ b/vendor/k8s.io/kubernetes/pkg/volume/plugins.go @@ -1064,7 +1064,7 @@ func NewPersistentVolumeRecyclerPodTemplate() *v1.Pod { Containers: []v1.Container{ { Name: "pv-recycler", - Image: "registry.k8s.io/build-image/debian-base:bookworm-v1.0.2", + Image: "registry.k8s.io/build-image/debian-base:bookworm-v1.0.3", Command: []string{"/bin/sh"}, Args: []string{"-c", "test -e /scrub && find /scrub -mindepth 1 -delete && test -z \"$(ls -A /scrub)\" || exit 1"}, VolumeMounts: []v1.VolumeMount{ diff --git a/vendor/k8s.io/kubernetes/test/e2e/storage/utils/create.go b/vendor/k8s.io/kubernetes/test/e2e/storage/utils/create.go index c3fb6b369..ac5707721 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/storage/utils/create.go +++ b/vendor/k8s.io/kubernetes/test/e2e/storage/utils/create.go @@ -62,6 +62,10 @@ func LoadFromManifests(files ...string) ([]interface{}, error) { if err := runtime.DecodeInto(scheme.Codecs.UniversalDecoder(), data, &what); err != nil { return fmt.Errorf("decode TypeMeta: %w", err) } + // Ignore empty documents. + if what.Kind == "" { + return nil + } factory := factories[what] if factory == nil { diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-attacher/rbac.yaml b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-attacher/rbac.yaml index e47e6fed2..3d33dfc06 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-attacher/rbac.yaml +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-attacher/rbac.yaml @@ -1,5 +1,5 @@ -# Do not edit, downloaded from https://github.com/kubernetes-csi/external-attacher/raw/v3.4.0/deploy/kubernetes//rbac.yaml -# for csi-driver-host-path v1.8.0 +# Do not edit, downloaded from https://github.com/kubernetes-csi/external-attacher/raw/v4.5.0/deploy/kubernetes//rbac.yaml +# for csi-driver-host-path release-1.13 # by ./update-hostpath.sh # # This YAML file contains all RBAC objects that are necessary to run external diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-health-monitor/external-health-monitor-controller/rbac.yaml b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-health-monitor/external-health-monitor-controller/rbac.yaml index 8f806887f..bdd93b894 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-health-monitor/external-health-monitor-controller/rbac.yaml +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-health-monitor/external-health-monitor-controller/rbac.yaml @@ -1,5 +1,5 @@ -# Do not edit, downloaded from https://github.com/kubernetes-csi/external-health-monitor/raw/v0.4.0/deploy/kubernetes/external-health-monitor-controller/rbac.yaml -# for csi-driver-host-path v1.8.0 +# Do not edit, downloaded from https://github.com/kubernetes-csi/external-health-monitor/raw/v0.11.0/deploy/kubernetes/external-health-monitor-controller/rbac.yaml +# for csi-driver-host-path release-1.13 # by ./update-hostpath.sh # # This YAML file contains all RBAC objects that are necessary to run external diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-provisioner/rbac.yaml b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-provisioner/rbac.yaml index ba65d9e7f..d80b5d793 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-provisioner/rbac.yaml +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-provisioner/rbac.yaml @@ -1,5 +1,5 @@ -# Do not edit, downloaded from https://github.com/kubernetes-csi/external-provisioner/raw/v3.1.0/deploy/kubernetes//rbac.yaml -# for csi-driver-host-path v1.8.0 +# Do not edit, downloaded from https://github.com/kubernetes-csi/external-provisioner/raw/v4.0.0/deploy/kubernetes//rbac.yaml +# for csi-driver-host-path release-1.13 # by ./update-hostpath.sh # # This YAML file contains all RBAC objects that are necessary to run external @@ -61,6 +61,13 @@ rules: - apiGroups: ["storage.k8s.io"] resources: ["volumeattachments"] verbs: ["get", "list", "watch"] + # (Alpha) Access to referencegrants is only needed when the CSI driver + # has the CrossNamespaceVolumeDataSource controller capability. + # In that case, external-provisioner requires "get", "list", "watch" + # permissions for "referencegrants" on "gateway.networking.k8s.io". + #- apiGroups: ["gateway.networking.k8s.io"] + # resources: ["referencegrants"] + # verbs: ["get", "list", "watch"] --- kind: ClusterRoleBinding @@ -89,9 +96,6 @@ metadata: rules: # Only one of the following rules for endpoints or leases is required based on # what is set for `--leader-election-type`. Endpoints are deprecated in favor of Leases. -- apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "watch", "list", "delete", "update", "create"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-resizer/rbac.yaml b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-resizer/rbac.yaml index 410d14ff9..4f8f7980d 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-resizer/rbac.yaml +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-resizer/rbac.yaml @@ -1,5 +1,5 @@ -# Do not edit, downloaded from https://github.com/kubernetes-csi/external-resizer/raw/v1.4.0/deploy/kubernetes//rbac.yaml -# for csi-driver-host-path v1.8.0 +# Do not edit, downloaded from https://github.com/kubernetes-csi/external-resizer/raw/v1.10.0/deploy/kubernetes//rbac.yaml +# for csi-driver-host-path release-1.13 # by ./update-hostpath.sh # # This YAML file contains all RBAC objects that are necessary to run external @@ -46,6 +46,10 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["list", "watch", "create", "update", "patch"] + # only required if enabling the alpha volume modify feature + - apiGroups: ["storage.k8s.io"] + resources: ["volumeattributesclasses"] + verbs: ["get", "list", "watch"] --- kind: ClusterRoleBinding @@ -63,7 +67,7 @@ roleRef: apiGroup: rbac.authorization.k8s.io --- -# Resizer must be able to work with end point in current namespace +# Resizer must be able to work with `leases` in current namespace # if (and only if) leadership election is enabled kind: Role apiVersion: rbac.authorization.k8s.io/v1 diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-snapshotter/csi-snapshotter/rbac-csi-snapshotter.yaml b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-snapshotter/csi-snapshotter/rbac-csi-snapshotter.yaml index 335538d44..7b5f5ad34 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-snapshotter/csi-snapshotter/rbac-csi-snapshotter.yaml +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/external-snapshotter/csi-snapshotter/rbac-csi-snapshotter.yaml @@ -1,5 +1,5 @@ -# Do not edit, downloaded from https://github.com/kubernetes-csi/external-snapshotter/raw/v5.0.1/deploy/kubernetes/csi-snapshotter/rbac-csi-snapshotter.yaml -# for csi-driver-host-path v1.8.0 +# Do not edit, downloaded from https://github.com/kubernetes-csi/external-snapshotter/raw/v7.0.1/deploy/kubernetes/csi-snapshotter/rbac-csi-snapshotter.yaml +# for csi-driver-host-path release-1.13 # by ./update-hostpath.sh # # Together with the RBAC file for external-provisioner, this YAML file @@ -12,6 +12,7 @@ # - optionally rename the non-namespaced ClusterRole if there # are conflicts with other deployments +--- apiVersion: v1 kind: ServiceAccount metadata: @@ -37,13 +38,24 @@ rules: - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotclasses"] verbs: ["get", "list", "watch"] + - apiGroups: ["snapshot.storage.k8s.io"] + resources: ["volumesnapshots"] + verbs: ["get", "list", "watch", "update", "patch", "create"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete", "patch"] + verbs: ["get", "list", "watch", "update", "patch", "create"] - apiGroups: ["snapshot.storage.k8s.io"] resources: ["volumesnapshotcontents/status"] verbs: ["update", "patch"] - + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotcontents"] + verbs: ["get", "list", "watch", "update", "patch"] + - apiGroups: ["groupsnapshot.storage.k8s.io"] + resources: ["volumegroupsnapshotcontents/status"] + verbs: ["update", "patch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/README.md b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/README.md index 399316db2..ce3a7694e 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/README.md +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/README.md @@ -1,4 +1,4 @@ The files in this directory are exact copies of "kubernetes-latest" in -https://github.com/kubernetes-csi/csi-driver-host-path/tree/v1.8.0/deploy/ +https://github.com/kubernetes-csi/csi-driver-host-path/tree/release-1.13/deploy/ Do not edit manually. Run ./update-hostpath.sh to refresh the content. diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-driverinfo.yaml b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-driverinfo.yaml index c8cf666a4..0250a52c1 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-driverinfo.yaml +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-driverinfo.yaml @@ -15,3 +15,6 @@ spec: # To determine at runtime which mode a volume uses, pod info and its # "csi.storage.k8s.io/ephemeral" entry are needed. podInfoOnMount: true + # Kubernetes may use fsGroup to change permissions and ownership + # of the volume to match user requested fsGroup in the pod's SecurityPolicy + fsGroupPolicy: File diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-plugin.yaml b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-plugin.yaml index 6a41a0239..eb4c16348 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-plugin.yaml +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-plugin.yaml @@ -1,4 +1,4 @@ -# All of the individual sidecar RBAC roles get bound + # All of the individual sidecar RBAC roles get bound # to this account. kind: ServiceAccount apiVersion: v1 @@ -190,6 +190,7 @@ kind: StatefulSet apiVersion: apps/v1 metadata: name: csi-hostpathplugin + namespace: default labels: app.kubernetes.io/instance: hostpath.csi.k8s.io app.kubernetes.io/part-of: csi-driver-host-path @@ -218,7 +219,7 @@ spec: serviceAccountName: csi-hostpathplugin-sa containers: - name: hostpath - image: registry.k8s.io/sig-storage/hostpathplugin:v1.11.0 + image: registry.k8s.io/sig-storage/hostpathplugin:v1.13.0 args: - "--drivername=hostpath.csi.k8s.io" - "--v=5" @@ -261,7 +262,7 @@ spec: name: dev-dir - name: csi-external-health-monitor-controller - image: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.7.0 + image: registry.k8s.io/sig-storage/csi-external-health-monitor-controller:v0.11.0 args: - "--v=5" - "--csi-address=$(ADDRESS)" @@ -275,7 +276,7 @@ spec: mountPath: /csi - name: node-driver-registrar - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 args: - --v=5 - --csi-address=/csi/csi.sock @@ -303,13 +304,13 @@ spec: volumeMounts: - mountPath: /csi name: socket-dir - image: registry.k8s.io/sig-storage/livenessprobe:v2.7.0 + image: registry.k8s.io/sig-storage/livenessprobe:v2.12.0 args: - --csi-address=/csi/csi.sock - --health-port=9898 - name: csi-attacher - image: registry.k8s.io/sig-storage/csi-attacher:v4.0.0 + image: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 args: - --v=5 - --csi-address=/csi/csi.sock @@ -323,11 +324,12 @@ spec: name: socket-dir - name: csi-provisioner - image: registry.k8s.io/sig-storage/csi-provisioner:v3.4.0 + image: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 args: - -v=5 - --csi-address=/csi/csi.sock - --feature-gates=Topology=true + # end csi-provisioner args securityContext: # This is necessary only for systems with SELinux, where # non-privileged sidecar containers cannot access unix domain socket @@ -338,7 +340,7 @@ spec: name: socket-dir - name: csi-resizer - image: registry.k8s.io/sig-storage/csi-resizer:v1.6.0 + image: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 args: - -v=5 - -csi-address=/csi/csi.sock @@ -352,7 +354,7 @@ spec: name: socket-dir - name: csi-snapshotter - image: registry.k8s.io/sig-storage/csi-snapshotter:v6.1.0 + image: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 args: - -v=5 - --csi-address=/csi/csi.sock diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-testing.yaml b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-testing.yaml index 7253a70a9..02e5e8d7c 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-testing.yaml +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/hostpath/hostpath/csi-hostpath-testing.yaml @@ -11,6 +11,7 @@ apiVersion: v1 kind: Service metadata: name: hostpath-service + namespace: default labels: app.kubernetes.io/instance: hostpath.csi.k8s.io app.kubernetes.io/part-of: csi-driver-host-path @@ -30,6 +31,7 @@ kind: StatefulSet apiVersion: apps/v1 metadata: name: csi-hostpath-socat + namespace: default labels: app.kubernetes.io/instance: hostpath.csi.k8s.io app.kubernetes.io/part-of: csi-driver-host-path @@ -64,7 +66,9 @@ spec: topologyKey: kubernetes.io/hostname containers: - name: socat - image: docker.io/alpine/socat:1.7.4.3-r0 + image: registry.k8s.io/sig-storage/hostpathplugin:v1.13.0 + command: + - socat args: - tcp-listen:10000,fork,reuseaddr - unix-connect:/csi/csi.sock diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver-attacher.yaml b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver-attacher.yaml index 7684aea78..b17687c61 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver-attacher.yaml +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver-attacher.yaml @@ -15,7 +15,7 @@ spec: serviceAccountName: csi-mock containers: - name: csi-attacher - image: registry.k8s.io/sig-storage/csi-attacher:v4.0.0 + image: registry.k8s.io/sig-storage/csi-attacher:v4.5.0 args: - --v=5 - --csi-address=$(ADDRESS) diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver-resizer.yaml b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver-resizer.yaml index 242c0b5aa..ef85e3170 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver-resizer.yaml +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver-resizer.yaml @@ -15,7 +15,7 @@ spec: serviceAccountName: csi-mock containers: - name: csi-resizer - image: registry.k8s.io/sig-storage/csi-resizer:v1.6.0 + image: registry.k8s.io/sig-storage/csi-resizer:v1.10.0 args: - "--v=5" - "--csi-address=$(ADDRESS)" diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver-snapshotter.yaml b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver-snapshotter.yaml index f788a4a8f..6718060ec 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver-snapshotter.yaml +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver-snapshotter.yaml @@ -15,7 +15,7 @@ spec: serviceAccountName: csi-mock containers: - name: csi-snapshotter - image: registry.k8s.io/sig-storage/csi-snapshotter:v6.1.0 + image: registry.k8s.io/sig-storage/csi-snapshotter:v7.0.1 args: - "--v=5" - "--csi-address=$(ADDRESS)" diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver.yaml b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver.yaml index 4493deccc..3035532c5 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver.yaml +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-driver.yaml @@ -15,7 +15,7 @@ spec: serviceAccountName: csi-mock containers: - name: csi-provisioner - image: registry.k8s.io/sig-storage/csi-provisioner:v3.4.0 + image: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 args: - "--csi-address=$(ADDRESS)" # Topology support is needed for the pod rescheduling test @@ -34,7 +34,7 @@ spec: - mountPath: /csi name: socket-dir - name: driver-registrar - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 args: - --v=5 - --csi-address=/csi/csi.sock @@ -53,7 +53,7 @@ spec: - mountPath: /registration name: registration-dir - name: mock - image: registry.k8s.io/sig-storage/hostpathplugin:v1.9.0 + image: registry.k8s.io/sig-storage/hostpathplugin:v1.13.0 args: - "--drivername=mock.storage.k8s.io" - "--nodeid=$(KUBE_NODE_NAME)" diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-proxy.yaml b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-proxy.yaml index d1aa8ece8..189c17af6 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-proxy.yaml +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/mock/csi-mock-proxy.yaml @@ -15,7 +15,7 @@ spec: serviceAccountName: csi-mock containers: - name: csi-provisioner - image: registry.k8s.io/sig-storage/csi-provisioner:v3.4.0 + image: registry.k8s.io/sig-storage/csi-provisioner:v4.0.0 args: - "--csi-address=$(ADDRESS)" # Topology support is needed for the pod rescheduling test @@ -35,7 +35,7 @@ spec: - mountPath: /csi name: socket-dir - name: driver-registrar - image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.5.1 + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.10.0 args: - --v=5 - --csi-address=/csi/csi.sock @@ -53,7 +53,7 @@ spec: - mountPath: /registration name: registration-dir - name: mock - image: registry.k8s.io/sig-storage/hostpathplugin:v1.9.0 + image: registry.k8s.io/sig-storage/hostpathplugin:v1.13.0 args: - -v=5 - -nodeid=$(KUBE_NODE_NAME) diff --git a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/update-hostpath.sh b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/update-hostpath.sh index ce60b39bc..122de0d18 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/update-hostpath.sh +++ b/vendor/k8s.io/kubernetes/test/e2e/testing-manifests/storage-csi/update-hostpath.sh @@ -137,5 +137,5 @@ done grep -r image: hostpath/hostpath/csi-hostpath-plugin.yaml | while read -r image; do version=$(echo "$image" | sed -e 's/.*:\(.*\)/\1/') image=$(echo "$image" | sed -e 's/.*image: \([^:]*\).*/\1/') - sed -i -e "s;$image:.*;$image:$version;" mock/*.yaml + sed -i '' -e "s;$image:.*;$image:$version;" mock/*.yaml done diff --git a/vendor/k8s.io/kubernetes/test/utils/image/manifest.go b/vendor/k8s.io/kubernetes/test/utils/image/manifest.go index 0d83a7cc8..efc0ec412 100644 --- a/vendor/k8s.io/kubernetes/test/utils/image/manifest.go +++ b/vendor/k8s.io/kubernetes/test/utils/image/manifest.go @@ -241,7 +241,7 @@ func initImageConfigs(list RegistryList) (map[ImageID]Config, map[ImageID]Config configs[BusyBox] = Config{list.PromoterE2eRegistry, "busybox", "1.36.1-1"} configs[CudaVectorAdd] = Config{list.PromoterE2eRegistry, "cuda-vector-add", "1.0"} configs[CudaVectorAdd2] = Config{list.PromoterE2eRegistry, "cuda-vector-add", "2.3"} - configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.4.7"} + configs[DistrolessIptables] = Config{list.BuildImageRegistry, "distroless-iptables", "v0.5.6"} configs[Etcd] = Config{list.GcEtcdRegistry, "etcd", "3.5.12-0"} configs[Httpd] = Config{list.PromoterE2eRegistry, "httpd", "2.4.38-4"} configs[HttpdNew] = Config{list.PromoterE2eRegistry, "httpd", "2.4.39-4"} diff --git a/vendor/modules.txt b/vendor/modules.txt index 760bf8a8c..3be0b7617 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -755,7 +755,7 @@ gopkg.in/yaml.v2 # gopkg.in/yaml.v3 v3.0.1 ## explicit gopkg.in/yaml.v3 -# k8s.io/api v0.29.4 => k8s.io/api v0.29.4 +# k8s.io/api v0.29.7 => k8s.io/api v0.29.7 ## explicit; go 1.21 k8s.io/api/admission/v1 k8s.io/api/admission/v1beta1 @@ -811,12 +811,12 @@ k8s.io/api/scheduling/v1beta1 k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 -# k8s.io/apiextensions-apiserver v0.0.0 => k8s.io/apiextensions-apiserver v0.29.4 +# k8s.io/apiextensions-apiserver v0.0.0 => k8s.io/apiextensions-apiserver v0.29.7 ## explicit; go 1.21 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 k8s.io/apiextensions-apiserver/pkg/features -# k8s.io/apimachinery v0.29.4 => k8s.io/apimachinery v0.29.4 +# k8s.io/apimachinery v0.29.7 => k8s.io/apimachinery v0.29.7 ## explicit; go 1.21 k8s.io/apimachinery/pkg/api/equality k8s.io/apimachinery/pkg/api/errors @@ -879,7 +879,7 @@ k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/netutil k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v0.29.4 => k8s.io/apiserver v0.29.4 +# k8s.io/apiserver v0.29.7 => k8s.io/apiserver v0.29.7 ## explicit; go 1.21 k8s.io/apiserver/pkg/admission k8s.io/apiserver/pkg/admission/cel @@ -1027,7 +1027,7 @@ k8s.io/apiserver/plugin/pkg/audit/truncate k8s.io/apiserver/plugin/pkg/audit/webhook k8s.io/apiserver/plugin/pkg/authenticator/token/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook -# k8s.io/client-go v0.29.4 => k8s.io/client-go v0.29.4 +# k8s.io/client-go v0.29.7 => k8s.io/client-go v0.29.7 ## explicit; go 1.21 k8s.io/client-go/applyconfigurations/admissionregistration/v1 k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1 @@ -1350,7 +1350,7 @@ k8s.io/client-go/util/homedir k8s.io/client-go/util/keyutil k8s.io/client-go/util/retry k8s.io/client-go/util/workqueue -# k8s.io/cloud-provider v0.29.3 => k8s.io/cloud-provider v0.29.4 +# k8s.io/cloud-provider v0.29.3 => k8s.io/cloud-provider v0.29.7 ## explicit; go 1.21 k8s.io/cloud-provider k8s.io/cloud-provider/api @@ -1366,7 +1366,7 @@ k8s.io/cloud-provider/names k8s.io/cloud-provider/node/helpers k8s.io/cloud-provider/options k8s.io/cloud-provider/service/helpers -# k8s.io/component-base v0.29.4 => k8s.io/component-base v0.29.4 +# k8s.io/component-base v0.29.7 => k8s.io/component-base v0.29.7 ## explicit; go 1.21 k8s.io/component-base/cli/flag k8s.io/component-base/config @@ -1388,14 +1388,14 @@ k8s.io/component-base/metrics/testutil k8s.io/component-base/tracing k8s.io/component-base/tracing/api/v1 k8s.io/component-base/version -# k8s.io/component-helpers v0.29.4 => k8s.io/component-helpers v0.29.4 +# k8s.io/component-helpers v0.29.7 => k8s.io/component-helpers v0.29.7 ## explicit; go 1.21 k8s.io/component-helpers/node/util k8s.io/component-helpers/node/util/sysctl k8s.io/component-helpers/scheduling/corev1 k8s.io/component-helpers/scheduling/corev1/nodeaffinity k8s.io/component-helpers/storage/volume -# k8s.io/controller-manager v0.29.4 => k8s.io/controller-manager v0.29.4 +# k8s.io/controller-manager v0.29.7 => k8s.io/controller-manager v0.29.7 ## explicit; go 1.21 k8s.io/controller-manager/config k8s.io/controller-manager/config/v1 @@ -1416,7 +1416,7 @@ k8s.io/klog/v2/internal/dbg k8s.io/klog/v2/internal/serialize k8s.io/klog/v2/internal/severity k8s.io/klog/v2/internal/sloghandler -# k8s.io/kms v0.29.4 +# k8s.io/kms v0.29.7 ## explicit; go 1.21 k8s.io/kms/apis/v1beta1 k8s.io/kms/apis/v2 @@ -1443,15 +1443,15 @@ k8s.io/kube-openapi/pkg/validation/errors k8s.io/kube-openapi/pkg/validation/spec k8s.io/kube-openapi/pkg/validation/strfmt k8s.io/kube-openapi/pkg/validation/strfmt/bson -# k8s.io/kubectl v0.0.0 => k8s.io/kubectl v0.29.4 +# k8s.io/kubectl v0.0.0 => k8s.io/kubectl v0.29.7 ## explicit; go 1.21 k8s.io/kubectl/pkg/scale k8s.io/kubectl/pkg/util/podutils -# k8s.io/kubelet v0.29.3 => k8s.io/kubelet v0.29.4 +# k8s.io/kubelet v0.29.3 => k8s.io/kubelet v0.29.7 ## explicit; go 1.21 k8s.io/kubelet/pkg/apis k8s.io/kubelet/pkg/apis/stats/v1alpha1 -# k8s.io/kubernetes v1.29.4 +# k8s.io/kubernetes v1.29.7 ## explicit; go 1.21 k8s.io/kubernetes/pkg/api/legacyscheme k8s.io/kubernetes/pkg/api/service @@ -1519,10 +1519,10 @@ k8s.io/kubernetes/test/utils k8s.io/kubernetes/test/utils/format k8s.io/kubernetes/test/utils/image k8s.io/kubernetes/test/utils/kubeconfig -# k8s.io/mount-utils v0.29.4 => k8s.io/mount-utils v0.29.4 +# k8s.io/mount-utils v0.29.7 => k8s.io/mount-utils v0.29.7 ## explicit; go 1.21 k8s.io/mount-utils -# k8s.io/pod-security-admission v0.29.4 => k8s.io/pod-security-admission v0.29.4 +# k8s.io/pod-security-admission v0.29.7 => k8s.io/pod-security-admission v0.29.7 ## explicit; go 1.21 k8s.io/pod-security-admission/api k8s.io/pod-security-admission/policy @@ -1672,32 +1672,32 @@ sigs.k8s.io/structured-merge-diff/v4/value ## explicit; go 1.12 sigs.k8s.io/yaml sigs.k8s.io/yaml/goyaml.v2 -# k8s.io/api => k8s.io/api v0.29.4 -# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.29.4 -# k8s.io/apimachinery => k8s.io/apimachinery v0.29.4 -# k8s.io/apiserver => k8s.io/apiserver v0.29.4 -# k8s.io/cli-runtime => k8s.io/cli-runtime v0.29.4 -# k8s.io/client-go => k8s.io/client-go v0.29.4 -# k8s.io/cloud-provider => k8s.io/cloud-provider v0.29.4 -# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.29.4 -# k8s.io/code-generator => k8s.io/code-generator v0.29.4 -# k8s.io/component-base => k8s.io/component-base v0.29.4 -# k8s.io/component-helpers => k8s.io/component-helpers v0.29.4 -# k8s.io/controller-manager => k8s.io/controller-manager v0.29.4 -# k8s.io/cri-api => k8s.io/cri-api v0.29.4 -# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.29.4 -# k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.29.4 -# k8s.io/endpointslice => k8s.io/endpointslice v0.29.4 -# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.29.4 -# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.29.4 -# k8s.io/kube-proxy => k8s.io/kube-proxy v0.29.4 -# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.29.4 -# k8s.io/kubectl => k8s.io/kubectl v0.29.4 -# k8s.io/kubelet => k8s.io/kubelet v0.29.4 -# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.29.4 -# k8s.io/metrics => k8s.io/metrics v0.29.4 -# k8s.io/mount-utils => k8s.io/mount-utils v0.29.4 -# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.29.4 -# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.29.4 -# k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.29.4 -# k8s.io/sample-controller => k8s.io/sample-controller v0.29.4 +# k8s.io/api => k8s.io/api v0.29.7 +# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.29.7 +# k8s.io/apimachinery => k8s.io/apimachinery v0.29.7 +# k8s.io/apiserver => k8s.io/apiserver v0.29.7 +# k8s.io/cli-runtime => k8s.io/cli-runtime v0.29.7 +# k8s.io/client-go => k8s.io/client-go v0.29.7 +# k8s.io/cloud-provider => k8s.io/cloud-provider v0.29.7 +# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.29.7 +# k8s.io/code-generator => k8s.io/code-generator v0.29.7 +# k8s.io/component-base => k8s.io/component-base v0.29.7 +# k8s.io/component-helpers => k8s.io/component-helpers v0.29.7 +# k8s.io/controller-manager => k8s.io/controller-manager v0.29.7 +# k8s.io/cri-api => k8s.io/cri-api v0.29.7 +# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.29.7 +# k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.29.7 +# k8s.io/endpointslice => k8s.io/endpointslice v0.29.7 +# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.29.7 +# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.29.7 +# k8s.io/kube-proxy => k8s.io/kube-proxy v0.29.7 +# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.29.7 +# k8s.io/kubectl => k8s.io/kubectl v0.29.7 +# k8s.io/kubelet => k8s.io/kubelet v0.29.7 +# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.29.7 +# k8s.io/metrics => k8s.io/metrics v0.29.7 +# k8s.io/mount-utils => k8s.io/mount-utils v0.29.7 +# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.29.7 +# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.29.7 +# k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.29.7 +# k8s.io/sample-controller => k8s.io/sample-controller v0.29.7