Affected by GO-2022-0457 and 11 other vulnerabilities

GO-2022-0457: Access to Unix domain socket can lead to privileges escalation in Cilium in github.com/cilium/cilium

GO-2022-0458: Improper Privilege Management in Cilium in github.com/cilium/cilium

GO-2022-0959: Network Policies & (Clusterwide) Cilium Network Policies with namespace label selectors may unexpectedly select pods with maliciously crafted labels in github.com/cilium/cilium

GO-2023-1643: Potential network policy bypass when routing IPv6 traffic in github.com/cilium/cilium

GO-2023-1730: Debug mode leaks confidential data in Cilium in github.com/cilium/cilium

GO-2023-1785: Potential HTTP policy bypass when using header rules in Cilium in github.com/cilium/cilium

GO-2023-2078: Kubernetes users may update Pod labels to bypass network policy in github.com/cilium/cilium

GO-2023-2079: Specific Cilium configurations vulnerable to DoS via Kubernetes annotations in github.com/cilium/cilium

GO-2023-2080: Cilium vulnerable to bypass of namespace restrictions in CiliumNetworkPolicy in github.com/cilium/cilium

GO-2024-2656: Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium

GO-2024-2666: Insecure IPsec transparent encryption in github.com/cilium/cilium

GO-2024-3072: Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

clustermesh-apiserver

command

v1.9.6 Latest Latest Go to latest Published: Apr 20, 2021 License: Apache-2.0 Imports: 50 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cilium/cilium

Links

Open Source Insights

README ¶

API server for Cilium ClusterMesh

Deploy the clustermesh-apiserver

Cilium Helm charts automatically deploy clustermesh-apiserver when Cilium cluster.name is not "default". Remember to set a non-zero cluster.id in Helm as well. clustermesh-apiserver service type defaults to NodePort. Depending on your k8s provider it may be beneficial to change this to LoadBalancer:

$ helm install cilium ...
--set clustermesh.apiserver.service.type=LoadBalancer \

Additionally, if your load balancer can give you a static IP address, it may be specified like so:

$ helm install cilium ...
--set clustermesh.apiserver.service.loadBalancerIP=xxx.xxx.xxx.xxx \

Connect Cilium clusters in to a clustermesh

Extract a cilium-clustermesh secret from each cluster to be applied in another cluster:

$ contrib/k8s/k8s-extract-clustermesh-nodeport-secret.sh > cluster1-secret.json

Repeat this step in all your clusters, storing the outputs into different files.
Apply secrets from all other clusters in each of your clusters, e.g., on cluster1:

$ contrib/k8s/k8s-import-clustermesh-secrets.sh cluster2-secret.json cluster3-secret.json ...

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL