Affected by GO-2022-0457 and 11 other vulnerabilities

GO-2022-0457: Access to Unix domain socket can lead to privileges escalation in Cilium in github.com/cilium/cilium

GO-2022-0458: Improper Privilege Management in Cilium in github.com/cilium/cilium

GO-2022-0959: Network Policies & (Clusterwide) Cilium Network Policies with namespace label selectors may unexpectedly select pods with maliciously crafted labels in github.com/cilium/cilium

GO-2023-1643: Potential network policy bypass when routing IPv6 traffic in github.com/cilium/cilium

GO-2023-1730: Debug mode leaks confidential data in Cilium in github.com/cilium/cilium

GO-2023-1785: Potential HTTP policy bypass when using header rules in Cilium in github.com/cilium/cilium

GO-2023-2078: Kubernetes users may update Pod labels to bypass network policy in github.com/cilium/cilium

GO-2023-2079: Specific Cilium configurations vulnerable to DoS via Kubernetes annotations in github.com/cilium/cilium

GO-2023-2080: Cilium vulnerable to bypass of namespace restrictions in CiliumNetworkPolicy in github.com/cilium/cilium

GO-2024-2656: Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium

GO-2024-2666: Insecure IPsec transparent encryption in github.com/cilium/cilium

GO-2024-3072: Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

synced

package

v1.9.0-rc3 Latest Latest Go to latest Published: Nov 3, 2020 License: Apache-2.0 Imports: 24 Imported by: 4

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cilium/cilium

Documentation ¶

Overview ¶

Package synced provides tools for tracking if k8s resources have been initially sychronized with the k8s apiserver.

Index ¶

func GetCRDResourceNames() []string
func SyncCRDs(ctx context.Context, rs *Resources, ag *APIGroups) error
type APIGroups
type Resources

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func GetCRDResourceNames ¶

func GetCRDResourceNames() []string

GetCRDResourceNames returns the list of Cilium CRDs we know about.

func SyncCRDs ¶

func SyncCRDs(ctx context.Context, rs *Resources, ag *APIGroups) error

SyncCRDs will sync Cilium CRDs to ensure that they have all been installed inside the K8s cluster. These CRDs are added by the Cilium Operator. This function will block until it finds all the CRDs or if a timeout occurs.

Types ¶

type APIGroups ¶

type APIGroups struct {
	lock.RWMutex
	// contains filtered or unexported fields
}

APIGroups is a lockable map to hold which k8s API Groups we have enabled/in-use Note: We can replace it with a Go 1.9 map once we require that version

func (*APIGroups) AddAPI ¶

func (m *APIGroups) AddAPI(api string)

func (*APIGroups) GetGroups ¶

func (m *APIGroups) GetGroups() []string

func (*APIGroups) RemoveAPI ¶

func (m *APIGroups) RemoveAPI(api string)

type Resources ¶

type Resources struct {
	lock.RWMutex
	// contains filtered or unexported fields
}

Resources maps resource names to channels that are closed upon initial sync with k8s.

func (*Resources) BlockWaitGroupToSyncResources ¶

func (r *Resources) BlockWaitGroupToSyncResources(
	stop <-chan struct{},
	swg *lock.StoppableWaitGroup,
	hasSyncedFunc cache.InformerSynced,
	resourceName string,
)

BlockWaitGroupToSyncResources ensures that anything which waits on waitGroup waits until all objects of the specified resource stored in Kubernetes are received by the informer and processed by controller. Fatally exits if syncing these initial objects fails. If the given stop channel is closed, it does not fatal. Once the k8s caches are synced against k8s, k8sCacheSynced is also closed.

func (*Resources) CancelWaitGroupToSyncResources ¶

func (r *Resources) CancelWaitGroupToSyncResources(resourceName string)

func (*Resources) WaitForCacheSync ¶

func (r *Resources) WaitForCacheSync(resourceNames ...string)

WaitForCacheSync waits for all K8s resources represented by resourceNames to have their K8s caches synchronized.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL