GO-2023-2355: Knative Serving vulnerable to attacker-controlled pod causing denial of service of autoscaler in knative.dev/serving

autotls

package

v0.17.1 Latest Latest Go to latest Published: Aug 20, 2020 License: Apache-2.0 Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/knative/serving

Links

Open Source Insights

README ¶

This is the instruction about how to run Auto TLS E2E test under different configurations to test different use cases. For more details about Auto TLS feature, check out the Auto TLS feature documentation.

To run Auto TLS E2E test locally, run the following commands:

test case 1: testing per ksvc certificate provision with self-signed CA
1. kubectl label namespace serving-tests networking.internal.knative.dev/disableWildcardCert=true
2. kubectl delete kcert --all -n serving-tests
3. kubectl apply -f test/config/autotls/certmanager/selfsigned/
4. go test -v -tags=e2e -count=1 -timeout=600s ./test/e2e/autotls/... -run ^TestAutoTLS$
test case 2: testing per namespace certificate provision with self-signed CA
1. kubectl delete kcert --all -n serving-tests
2. kubectl apply -f test/config/autotls/certmanager/selfsigned/
3. Run kubectl edit namespace serving-tests and remove the label networking.internal.knative.dev/disableWildcardCert
4. go test -v -tags=e2e -count=1 -timeout=600s ./test/e2e/autotls/... -run ^TestAutoTLS$
test case 3: testing per ksvc certificate provision with HTTP challenge
1. kubectl label namespace serving-tests networking.internal.knative.dev/disableWildcardCert=true
2. kubectl delete kcert --all -n serving-tests
3. kubectl apply -f test/config/autotls/certmanager/http01/
4. export SERVICE_NAME=http01
5. kubectl patch cm config-domain -n knative-serving -p '{"data":{"<your-custom-domain>":""}}'
6. Add a DNS A record to map host http01.serving-tests.<your-custom-domain> to the Ingress IP.
7. go test -v -tags=e2e -count=1 -timeout=600s ./test/e2e/autotls/... -run ^TestAutoTLS$

Documentation ¶

Index ¶

func CreateDialContext(t *testing.T, ing *v1alpha1.Ingress, clients *test.Clients) func(context.Context, string, string) (net.Conn, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func CreateDialContext ¶

func CreateDialContext(t *testing.T, ing *v1alpha1.Ingress, clients *test.Clients) func(context.Context, string, string) (net.Conn, error)

CreateDialContext looks up the endpoint information to create a "dialer" for the provided Ingress' public ingress loas balancer. It can be used to contact external-visibility services with an HTTP client via:

client := &http.Client{
	Transport: &http.Transport{
		DialContext: CreateDialContext(t, ing, clients),
	},
}

Types ¶

This section is empty.

Source Files ¶

View all Source files

util.go

Directories ¶

Path	Synopsis
config
disablenscert
dnscleanup
dnssetup

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL