Affected by GO-2022-0617 and 16 other vulnerabilities

GO-2022-0617: WITHDRAWN: Potential proxy IP restriction bypass in Kubernetes in k8s.io/kubernetes

GO-2022-0907: Access Restriction Bypass in kube-apiserver in k8s.io/kubernetes

GO-2022-0908: Incomplete List of Disallowed Inputs in Kubernetes in k8s.io/kubernetes

GO-2022-0910: Files or Directories Accessible to External Parties in kubernetes in k8s.io/kubernetes

GO-2022-0983: kubectl ANSI escape characters not filtered in k8s.io/kubernetes

GO-2023-1864: Kubelet vulnerable to bypass of seccomp profile enforcement in k8s.io/kubernetes

GO-2023-1891: kube-apiserver vulnerable to policy bypass in k8s.io/kubernetes

GO-2023-1892: Kubernetes mountable secrets policy bypass in k8s.io/kubernetes

GO-2023-2159: Kube-proxy may unintentionally forward traffic in k8s.io/kubernetes

GO-2023-2170: Kubernetes privilege escalation vulnerability in k8s.io/kubernetes

GO-2023-2330: Kubernetes privilege escalation vulnerability in k8s.io/kubernetes

GO-2023-2341: Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes

GO-2024-2748: Privilege Escalation in Kubernetes in k8s.io/apimachinery

GO-2024-2753: Denial of service in Kubernetes in k8s.io/kubernetes

GO-2024-2754: Sensitive Information leak via Log File in Kubernetes in k8s.io/kubernetes

GO-2024-2755: Sensitive Information leak via Log File in Kubernetes in k8s.io/kubernetes

GO-2024-2994: Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes

renewal

package

v1.16.12-rc.0 Latest Latest Go to latest Published: Jun 17, 2020 License: Apache-2.0 Imports: 22 Imported by: 36

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubernetes/kubernetes

Documentation ¶

Index ¶

type APIRenewer
- func NewAPIRenewer(client clientset.Interface) *APIRenewer
- func (r *APIRenewer) Renew(cfg *certutil.Config) (*x509.Certificate, crypto.Signer, error)
type CertificateRenewHandler
type ExpirationInfo
- func (e *ExpirationInfo) ResidualTime() time.Duration
type FileRenewer
- func NewFileRenewer(caCert *x509.Certificate, caKey crypto.Signer) *FileRenewer
- func (r *FileRenewer) Renew(cfg *certutil.Config) (*x509.Certificate, crypto.Signer, error)
type Manager
- func NewManager(cfg *kubeadmapi.ClusterConfiguration, kubernetesDir string) (*Manager, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type APIRenewer ¶ added in v1.15.0

type APIRenewer struct {
	// contains filtered or unexported fields
}

APIRenewer define a certificate renewer implementation that uses the K8s certificate API

func NewAPIRenewer ¶ added in v1.15.0

func NewAPIRenewer(client clientset.Interface) *APIRenewer

NewAPIRenewer a new certificate renewer implementation that uses the K8s certificate API

func (*APIRenewer) Renew ¶ added in v1.15.0

func (r *APIRenewer) Renew(cfg *certutil.Config) (*x509.Certificate, crypto.Signer, error)

Renew a certificate using the K8s certificate API

type CertificateRenewHandler ¶ added in v1.15.0

type CertificateRenewHandler struct {
	// Name of the certificate to be used for UX.
	// This value can be used to trigger operations on this certificate
	Name string

	// LongName of the certificate to be used for UX
	LongName string

	// FileName defines the name (or the BaseName) of the certificate file
	FileName string

	// CABaseName define the base name for the CA that should be used for certificate renewal
	CABaseName string
	// contains filtered or unexported fields
}

CertificateRenewHandler defines required info for renewing a certificate

type ExpirationInfo ¶ added in v1.15.0

type ExpirationInfo struct {
	// Name of the certificate
	// For PKI certificates, it is the name defined in the certsphase package, while for certificates
	// embedded in the kubeConfig files, it is the kubeConfig file name defined in the kubeadm constants package.
	// If you use the CertificateRenewHandler returned by Certificates func, handler.Name already contains the right value.
	Name string

	// ExpirationDate defines certificate expiration date
	ExpirationDate time.Time

	// ExternallyManaged defines if the certificate is externally managed, that is when
	// the signing CA certificate is provided without the certificate key (In this case kubeadm can't renew the certificate)
	ExternallyManaged bool
}

ExpirationInfo defines expiration info for a certificate

func (*ExpirationInfo) ResidualTime ¶ added in v1.15.0

func (e *ExpirationInfo) ResidualTime() time.Duration

ResidualTime returns the time missing to expiration

type FileRenewer ¶ added in v1.15.0

type FileRenewer struct {
	// contains filtered or unexported fields
}

FileRenewer define a certificate renewer implementation that uses given CA cert and key for generating new certficiates

func NewFileRenewer ¶ added in v1.15.0

func NewFileRenewer(caCert *x509.Certificate, caKey crypto.Signer) *FileRenewer

NewFileRenewer returns a new certificate renewer that uses given CA cert and key for generating new certficiates

func (*FileRenewer) Renew ¶ added in v1.15.0

func (r *FileRenewer) Renew(cfg *certutil.Config) (*x509.Certificate, crypto.Signer, error)

Renew a certificate using a given CA cert and key

type Manager ¶ added in v1.15.0

type Manager struct {
	// contains filtered or unexported fields
}

Manager can be used to coordinate certificate renewal and related processes, like CSR generation or checking certificate expiration

func NewManager ¶ added in v1.15.0

func NewManager(cfg *kubeadmapi.ClusterConfiguration, kubernetesDir string) (*Manager, error)

NewManager return a new certificate renewal manager ready for handling certificates in the cluster

func (*Manager) Certificates ¶ added in v1.15.0

func (rm *Manager) Certificates() []*CertificateRenewHandler

Certificates return the list of certificates controlled by this Manager

func (*Manager) CreateRenewCSR ¶ added in v1.15.0

func (rm *Manager) CreateRenewCSR(name, outdir string) error

CreateRenewCSR generates CSR request for certificate renewal. For PKI certificates, use the name defined in the certsphase package, while for certificates embedded in the kubeConfig files, use the kubeConfig file name defined in the kubeadm constants package. If you use the CertificateRenewHandler returned by Certificates func, handler.Name already contains the right value.

func (*Manager) GetExpirationInfo ¶ added in v1.15.0

func (rm *Manager) GetExpirationInfo(name string) (*ExpirationInfo, error)

GetExpirationInfo returns certificate expiration info. For PKI certificates, use the name defined in the certsphase package, while for certificates embedded in the kubeConfig files, use the kubeConfig file name defined in the kubeadm constants package. If you use the CertificateRenewHandler returned by Certificates func, handler.Name already contains the right value.

func (*Manager) IsExternallyManaged ¶ added in v1.15.0

func (rm *Manager) IsExternallyManaged(h *CertificateRenewHandler) (bool, error)

IsExternallyManaged checks if we are in the external CA case (CA certificate provided without the certificate key)

func (*Manager) RenewUsingCSRAPI ¶ added in v1.15.0

func (rm *Manager) RenewUsingCSRAPI(name string, client clientset.Interface) error

RenewUsingCSRAPI executes certificate renewal uses the K8s certificate API. For PKI certificates, use the name defined in the certsphase package, while for certificates embedded in the kubeConfig files, use the kubeConfig file name defined in the kubeadm constants package. If you use the CertificateRenewHandler returned by Certificates func, handler.Name already contains the right value.

func (*Manager) RenewUsingLocalCA ¶ added in v1.15.0

func (rm *Manager) RenewUsingLocalCA(name string) (bool, error)

RenewUsingLocalCA executes certificate renewal using local certificate authorities for generating new certs. For PKI certificates, use the name defined in the certsphase package, while for certificates embedded in the kubeConfig files, use the kubeConfig file name defined in the kubeadm constants package. If you use the CertificateRenewHandler returned by Certificates func, handler.Name already contains the right value.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL