GO-2023-2125: kOps privilege escalation vulnerability in k8s.io/kops

kube-apiserver-healthcheck

command

v1.24.5 Latest Latest Go to latest Published: Nov 25, 2022 License: Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubernetes/kops

Links

Open Source Insights

README ¶

kube-apiserver-healthcheck

This is a small sidecar container that allows for health-checking the kube-apiserver without enabling anonymous authentication and without enabling the unauthenticated port.

It listens on port 3990 (http), and proxies a few known-safe requests to the real apiserver listening on 443. It uses a client certificate to authenticate itself to the apiserver.

This lets us turn off the unauthenticated kube-apiserver endpoint, but it also lets us have better load-balancer health-checks.

Because it runs as a sidecar next to kube-apiserver, it is in the same network namespace, and thus it can reach apiserver on https://127.0.0.1 . The kube-apiserver-healthcheck process listens on 3990, but the health checks for the apiserver container are configured for :8080 and actually go via the sidecar.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL