Affected by GO-2022-0617 and 10 other vulnerabilities

GO-2022-0617: WITHDRAWN: Potential proxy IP restriction bypass in Kubernetes in k8s.io/kubernetes

GO-2022-0983: kubectl ANSI escape characters not filtered in k8s.io/kubernetes

GO-2023-1628: Kubernetes vulnerable to path traversal in k8s.io/kubernetes

GO-2023-1629: Kubernetes vulnerable to validation bypass in k8s.io/kubernetes

GO-2023-1864: Kubelet vulnerable to bypass of seccomp profile enforcement in k8s.io/kubernetes

GO-2023-1891: kube-apiserver vulnerable to policy bypass in k8s.io/kubernetes

GO-2023-1892: Kubernetes mountable secrets policy bypass in k8s.io/kubernetes

GO-2023-2170: Kubernetes privilege escalation vulnerability in k8s.io/kubernetes

GO-2023-2330: Kubernetes privilege escalation vulnerability in k8s.io/kubernetes

GO-2023-2341: Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes

GO-2024-2994: Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes

gcp

package

v1.23.10-rc.0 Latest Latest Go to latest Published: Jul 13, 2022 License: Apache-2.0 Imports: 13 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubernetes/kubernetes

Documentation ¶

Overview ¶

Package gcp contains implementations of DockerConfigProvider for Google Cloud Platform.

Index ¶

Constants
type ContainerRegistryProvider
- func (g *ContainerRegistryProvider) Enabled() bool
- func (g *ContainerRegistryProvider) Provide(image string) credentialprovider.DockerConfig
type DockerConfigKeyProvider
- func (g *DockerConfigKeyProvider) Provide(image string) credentialprovider.DockerConfig
type DockerConfigURLKeyProvider
- func (g *DockerConfigURLKeyProvider) Provide(image string) credentialprovider.DockerConfig
type MetadataProvider
- func (g *MetadataProvider) Enabled() bool

Constants ¶

View Source

const (

	// DockerConfigKey is the URL of the dockercfg metadata key used by DockerConfigKeyProvider.
	DockerConfigKey = metadataAttributes + "google-dockercfg"
	// DockerConfigURLKey is the URL of the dockercfg metadata key used by DockerConfigURLKeyProvider.
	DockerConfigURLKey = metadataAttributes + "google-dockercfg-url"

	// StorageScopePrefix is the prefix checked by ContainerRegistryProvider.Enabled.
	StorageScopePrefix = "https://www.googleapis.com/auth/devstorage"
)

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type ContainerRegistryProvider ¶

type ContainerRegistryProvider struct {
	MetadataProvider
}

ContainerRegistryProvider is a DockerConfigProvider that provides a dockercfg with:

Username: "_token"
Password: "{access token from metadata}"

func (*ContainerRegistryProvider) Enabled ¶

func (g *ContainerRegistryProvider) Enabled() bool

Enabled implements a special metadata-based check, which verifies the storage scope is available on the GCE VM. If running on a GCE VM, check if 'default' service account exists. If it does not exist, assume that registry is not enabled. If default service account exists, check if relevant scopes exist in the default service account. The metadata service can become temporarily inaccesible. Hence all requests to the metadata service will be retried until the metadata server returns a `200`. It is expected that "http://metadata.google.internal./computeMetadata/v1/instance/service-accounts/" will return a `200` and "http://metadata.google.internal./computeMetadata/v1/instance/service-accounts/default/scopes" will also return `200`. More information on metadata service can be found here - https://cloud.google.com/compute/docs/storing-retrieving-metadata

func (*ContainerRegistryProvider) Provide ¶

func (g *ContainerRegistryProvider) Provide(image string) credentialprovider.DockerConfig

Provide implements DockerConfigProvider

type DockerConfigKeyProvider ¶

type DockerConfigKeyProvider struct {
	MetadataProvider
}

DockerConfigKeyProvider is a DockerConfigProvider that reads its configuration from a specific Google Compute Engine metadata key: 'google-dockercfg'.

func (*DockerConfigKeyProvider) Provide ¶

func (g *DockerConfigKeyProvider) Provide(image string) credentialprovider.DockerConfig

Provide implements DockerConfigProvider

type DockerConfigURLKeyProvider ¶

type DockerConfigURLKeyProvider struct {
	MetadataProvider
}

DockerConfigURLKeyProvider is a DockerConfigProvider that reads its configuration from a URL read from a specific Google Compute Engine metadata key: 'google-dockercfg-url'.

func (*DockerConfigURLKeyProvider) Provide ¶

func (g *DockerConfigURLKeyProvider) Provide(image string) credentialprovider.DockerConfig

Provide implements DockerConfigProvider

type MetadataProvider ¶

type MetadataProvider struct {
	Client *http.Client
}

MetadataProvider is a DockerConfigProvider that reads its configuration from Google Compute Engine metadata.

func (*MetadataProvider) Enabled ¶

func (g *MetadataProvider) Enabled() bool

Enabled implements DockerConfigProvider for all of the Google implementations.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL