GO-2023-2125: kOps privilege escalation vulnerability in k8s.io/kops

gcetpm

package

v1.25.0-alpha.2 Latest Latest Go to latest Published: Jul 29, 2022 License: Apache-2.0 Imports: 0 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubernetes/kops

Documentation ¶

Constants ¶

View Source

const AudienceNodeAuthentication = "kops.k8s.io/node-bootstrap"

AudienceNodeAuthentication is used in case we have multiple audiences using the TPM in future

View Source

const GCETPMAuthenticationTokenPrefix = "x-gce-tpm "

GCETPMAuthenticationTokenPrefix is the prefix used for authentication using the GCE TPM

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AuthToken ¶

type AuthToken struct {
	// Signature is the TPM signature for data
	Signature []byte `json:"signature,omitempty"`

	// Data is the data we are signing.
	// It is a JSON encoded form of AuthTokenData.
	Data []byte `json:"data,omitempty"`
}

AuthToken describes the authentication header data when using GCE TPM authentication.

type AuthTokenData ¶

type AuthTokenData struct {
	// GCPProjectID is the GCP project we claim to be part of
	GCPProjectID string `json:"gcpProjectID,omitempty"`

	// Zone is the availability zone we claim to be part of
	Zone string `json:"zone,omitempty"`

	// Instance is the name/id of the instance we are claiming
	Instance string `json:"instance,omitempty"`

	// RequestHash is the hash of the request
	RequestHash []byte `json:"requestHash,omitempty"`

	// Timestamp is the time of this request (to help prevent replay attacks)
	Timestamp int64 `json:"timestamp,omitempty"`

	// Audience is the audience for this request (to help prevent replay attacks)
	Audience string `json:"audience,omitempty"`
}

AuthTokenData is the code data that is signed as part of the header.

type TPMVerifierOptions ¶

type TPMVerifierOptions struct {
	// ProjectID is the GCP project we require
	ProjectID string `json:"projectID,omitempty"`

	// Region is the region we require instances to be in.
	Region string `json:"region,omitempty"`

	// ClusterName is the cluster-name tag we require
	ClusterName string `json:"clusterName,omitempty"`

	// MaxTimeSkew is the maximum time skew to allow (in seconds)
	MaxTimeSkew int64 `json:"MaxTimeSkew,omitempty"`
}

TPMVerifierOptions describes how we authenticate instances with GCE TPM authentication.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
gcetpmsigner
gcetpmverifier

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL