Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bump k8s tag for 1.28-1.30 #3300

Merged
merged 2 commits into from
Sep 12, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 19 additions & 19 deletions projects/kubernetes/kubernetes/1-23/CHECKSUMS
Original file line number Diff line number Diff line change
@@ -1,19 +1,19 @@
e23b06b9aab30e2a0cbc08f6070fe8828ba0cb12ad2ba2cd75c2ff446ca7f2cc _output/1-23/bin/darwin/amd64/kubectl
8b814eef21307b7029dfa8fb702be6c7772cacffd92e260e93c12673c0c53477 _output/1-23/bin/linux/amd64/kube-apiserver
0a563a03f9c08f9275a6c8664c9ab840d40b0d79bdfbf945a90fa88ee23f62d9 _output/1-23/bin/linux/amd64/kube-controller-manager
6afe1580482bc11749fa172df6c8a351a10144938b8c1a49365b1a8a45732860 _output/1-23/bin/linux/amd64/kube-proxy
94603ec27476b5fee0a455f413437da8366401db5640839b554b4707cea52aa0 _output/1-23/bin/linux/amd64/kube-scheduler
f338dc9e9eff40c19c8aa4427232f8c895f4cc04818ad9cd1db44789619db63e _output/1-23/bin/linux/amd64/kubeadm
fdba50866b38868bea34bbbfcf070e48ca2b4b7530bcc4d07ba41712238b4556 _output/1-23/bin/linux/amd64/kubectl
395f0fa57a212e38a32bd2b76224d4bdc6ab320f20c5ab117be1567f6c0583f5 _output/1-23/bin/linux/amd64/kubelet
6e997ff59d0b5a289c2c57dbe4e3740c56fc5ea1cc5acd44a2991c13804ceb3b _output/1-23/bin/linux/arm64/kube-apiserver
e62821a6a6a5b5d5163aa773c02068802e887d5638b6a655c1a5ba9f2b5908f5 _output/1-23/bin/linux/arm64/kube-controller-manager
77fe80e7979adfb95f037adebcd344c988a1e5718aaf2dfd65453aab200e87fb _output/1-23/bin/linux/arm64/kube-proxy
a8919c63f2f6471f27a54f169a18b372fa9fc947334e0832b825a977f2cab71f _output/1-23/bin/linux/arm64/kube-scheduler
acb688d1094cdd3db9a2c601e16c03d557f9de37705f24da972efb9b337399b7 _output/1-23/bin/linux/arm64/kubeadm
79c2202bbbaa9f2491de4333f97cca979abb1326e019533917d3d912b8d3b753 _output/1-23/bin/linux/arm64/kubectl
865fa64847783f2d796dd83a624725192e2ee88e7f82207dfb540a078ac29ff4 _output/1-23/bin/linux/arm64/kubelet
a3cfb2c109e0c18b3abed2f03880e7063f71afdac96b4dcbe7b0e9a6e8857b23 _output/1-23/bin/windows/amd64/kube-proxy.exe
56329007aa6db01705a98ac363d35623670b169c23f5636130d02094166dfaaf _output/1-23/bin/windows/amd64/kubeadm.exe
6fe3545efae6ec6d2532f65410cfa3997e58c451d0a34a2bc999d37532b8af54 _output/1-23/bin/windows/amd64/kubectl.exe
b5463a563645c7b5d721f962be92f5273c38c51343535f82e39113aa3212380f _output/1-23/bin/windows/amd64/kubelet.exe
8dfd502ab91140cb70ef1378f3296d661b9babd997a13cec82aa3006c8aa0318 _output/1-23/bin/darwin/amd64/kubectl
4cb5645a6f8281abbfc0ccfb3dc10d951379c3ba6f114918185e4f04bbe71cd0 _output/1-23/bin/linux/amd64/kube-apiserver
85598741fcad67aa674c362bb1f8c9b69ac88b12dcdf81d958b6d33b25645099 _output/1-23/bin/linux/amd64/kube-controller-manager
2662c8ac0482b26a2ed2a4f664f6c6e97796d1c6105555abfd99903f1b97e4da _output/1-23/bin/linux/amd64/kube-proxy
c432738d74fda99c45c851fed50f06bddc0197ac33a56fed499ac95f5abffa15 _output/1-23/bin/linux/amd64/kube-scheduler
228d5eae1067ed7ff09076ceb04b389f26b1470bde2caabca51d988582eeac28 _output/1-23/bin/linux/amd64/kubeadm
3bedcb8a56bfb2a111c70120577db5c3b499fa9db09a2f1a08b51ae19fa6c286 _output/1-23/bin/linux/amd64/kubectl
5e545547794ee22ad51b9d7643ccc0788cdcc0409121ae19dd4e927059e273ff _output/1-23/bin/linux/amd64/kubelet
4e2e43b0dc0ddb1eea8b83a153c85d78806e7ac6a3afec54f9a844edccb68c81 _output/1-23/bin/linux/arm64/kube-apiserver
fb7cce18011f23ce9267ab76f012d1c940053b7d1182a46c0dfd91567ee8f0dc _output/1-23/bin/linux/arm64/kube-controller-manager
c5bb72b35da66c80023e48c77a1802061d58ea620d3f627743f508c2edd86999 _output/1-23/bin/linux/arm64/kube-proxy
a2a0c657a28d594e46db8a3bd5f11230925a1038ad22491a72d3fdbe7308fcc5 _output/1-23/bin/linux/arm64/kube-scheduler
c0c0d53b4ceb409eec117302b089910fffed817a6abff5397f187a062035e483 _output/1-23/bin/linux/arm64/kubeadm
f5472523b8b63f5550baf2cb3cc662e707ad5ed7220b8fcac0ebeacbb729ed03 _output/1-23/bin/linux/arm64/kubectl
5bc8ebb19524922db178e125d6f7b1c71a27f8f22e874a4e3c4f2ffd72da521a _output/1-23/bin/linux/arm64/kubelet
8d7c730aa60183dcd7b4b7e1057cffaa55997dfe7a9997389c990b9cbfd6629c _output/1-23/bin/windows/amd64/kube-proxy.exe
b265f65613de428d7b8b423e18c73d6cb412bfe096fb8d0356e53472a9967c2c _output/1-23/bin/windows/amd64/kubeadm.exe
07cccd8d1be796c9b1cf27480d7a54c96458ad82e3c0f7b7b95b4f37bc3bcd55 _output/1-23/bin/windows/amd64/kubectl.exe
44a1da4d15c9e91e4c09b31b5fcff9f538fbb81b617a42a1e92a3572d1591823 _output/1-23/bin/windows/amd64/kubelet.exe
Original file line number Diff line number Diff line change
@@ -0,0 +1,332 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: haoranleo <[email protected]>
Date: Wed, 28 Aug 2024 13:39:45 -0700
Subject: [PATCH] --EKS-PATCH-- Add sourceARN to sts headers

Description:
Add caller info (source account and source arn) to STS requests that legacy cloud provider makes
on behalf of customer through request headers, this is for confusion deputy issue protection. With
the change customer is able to configure global conditional key in their IAM role in addition to trust
policies https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html.

Upstream PR, Issue, KEP, etc. links:
We did same change in CCM https://github.com/kubernetes/cloud-provider-aws/pull/649 but for versions < 1.27,
KCM still has in-tree legacy cloud provider. This patch is for these legacy cloud providers in KCM.

If this patch is based on an upstream commit, how (if at all) do this patch and the upstream source differ?
N/A

If this patch's changes have not been added by upstream, why not?
Versions < 1.27 are out of support upstream.

Other patches related to this patch:
N/A

Changes made to this patch after its initial creation and reasons for these changes:
N/A

Kubernetes version this patch can be dropped:
Till 1.23 is out of EKS support.

Signed-off-by: Leo Li <[email protected]>
---
.../k8s.io/legacy-cloud-providers/aws/aws.go | 40 +++++++-
.../legacy-cloud-providers/aws/aws_utils.go | 21 +++++
.../aws/aws_utils_test.go | 57 ++++++++++++
.../github.com/aws/aws-sdk-go/aws/arn/arn.go | 93 +++++++++++++++++++
vendor/modules.txt | 1 +
5 files changed, 210 insertions(+), 2 deletions(-)
create mode 100644 staging/src/k8s.io/legacy-cloud-providers/aws/aws_utils_test.go
create mode 100644 vendor/github.com/aws/aws-sdk-go/aws/arn/arn.go

diff --git a/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go b/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go
index fe38604d422..6730488fed5 100644
--- a/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go
+++ b/staging/src/k8s.io/legacy-cloud-providers/aws/aws.go
@@ -253,6 +253,11 @@ const volumeAttachmentStuck = "VolumeAttachmentStuck"
// Indicates that a node has volumes stuck in attaching state and hence it is not fit for scheduling more pods
const nodeWithImpairedVolumes = "NodeWithImpairedVolumes"

+// Headers for STS request for source ARN
+const headerSourceArn = "x-amz-source-arn"
+// Headers for STS request for source account
+const headerSourceAccount = "x-amz-source-account"
+
const (
// volumeAttachmentConsecutiveErrorLimit is the number of consecutive errors we will ignore when waiting for a volume to attach/detach
volumeAttachmentStatusConsecutiveErrorLimit = 10
@@ -614,6 +619,11 @@ type CloudConfig struct {

// RoleARN is the IAM role to assume when interaction with AWS APIs.
RoleARN string
+ // SourceARN is value which is passed while assuming role specified by RoleARN. When a service
+ // assumes a role in your account, you can include the aws:SourceAccount and aws:SourceArn global
+ // condition context keys in your role trust policy to limit access to the role to only requests that are generated
+ // by expected resources. https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html
+ SourceARN string

// KubernetesClusterTag is the legacy cluster id we'll use to identify our cluster resources
KubernetesClusterTag string
@@ -1215,8 +1225,13 @@ func init() {
var creds *credentials.Credentials
if cfg.Global.RoleARN != "" {
klog.Infof("Using AWS assumed role %v", cfg.Global.RoleARN)
+
+ stsClient, err := getSTSClient(sess, cfg.Global.SourceARN)
+ if err != nil {
+ return nil, fmt.Errorf("unable to create sts client, %v", err)
+ }
provider := &stscreds.AssumeRoleProvider{
- Client: sts.New(sess),
+ Client: stsClient,
RoleARN: cfg.Global.RoleARN,
}

@@ -1232,6 +1247,27 @@ func init() {
})
}

+func getSTSClient(sess *session.Session, sourceARN string) (*sts.STS, error) {
+ stsClient := sts.New(sess)
+
+ // parse both source account and source arn from the sourceARN, and add them as headers to the STS client
+ if sourceARN != "" {
+ sourceAcct, err := getSourceAccount(sourceARN)
+ if err != nil {
+ return nil, err
+ }
+ reqHeaders := map[string]string{
+ headerSourceAccount: sourceAcct,
+ headerSourceArn: sourceARN,
+ }
+ stsClient.Handlers.Sign.PushFront(func(s *request.Request) {
+ s.ApplyOptions(request.WithSetRequestHeaders(reqHeaders))
+ })
+ klog.V(4).Infof("configuring STS client with extra headers, %v", reqHeaders)
+ }
+ return stsClient, nil
+}
+
func getRegionFromMetadata(cfg *CloudConfig) (string, error) {
klog.Infof("Get AWS region from metadata client")

@@ -1264,7 +1300,7 @@ func readAWSCloudConfig(config io.Reader) (*CloudConfig, error) {
var err error

if config != nil {
- err = gcfg.ReadInto(&cfg, config)
+ err = gcfg.FatalOnly(gcfg.ReadInto(&cfg, config))
if err != nil {
return nil, err
}
diff --git a/staging/src/k8s.io/legacy-cloud-providers/aws/aws_utils.go b/staging/src/k8s.io/legacy-cloud-providers/aws/aws_utils.go
index f9e6cdab617..8445429aba4 100644
--- a/staging/src/k8s.io/legacy-cloud-providers/aws/aws_utils.go
+++ b/staging/src/k8s.io/legacy-cloud-providers/aws/aws_utils.go
@@ -20,7 +20,10 @@ limitations under the License.
package aws

import (
+ "fmt"
+
"github.com/aws/aws-sdk-go/aws"
+ "github.com/aws/aws-sdk-go/aws/arn"

"k8s.io/apimachinery/pkg/util/sets"
)
@@ -46,3 +49,21 @@ func stringSetFromPointers(in []*string) sets.String {
}
return out
}
+
+// getSourceAccount constructs source acct and return them for use
+func getSourceAccount(roleARN string) (string, error) {
+ // ARN format (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html)
+ // arn:partition:service:region:account-id:resource-type/resource-id
+ // IAM format, region is always blank
+ // arn:aws:iam::account:role/role-name-with-path
+ if !arn.IsARN(roleARN) {
+ return "", fmt.Errorf("incorrect ARN format for role %s", roleARN)
+ }
+
+ parsedArn, err := arn.Parse(roleARN)
+ if err != nil {
+ return "", err
+ }
+
+ return parsedArn.AccountID, nil
+}
diff --git a/staging/src/k8s.io/legacy-cloud-providers/aws/aws_utils_test.go b/staging/src/k8s.io/legacy-cloud-providers/aws/aws_utils_test.go
new file mode 100644
index 00000000000..b3c67af6e11
--- /dev/null
+++ b/staging/src/k8s.io/legacy-cloud-providers/aws/aws_utils_test.go
@@ -0,0 +1,57 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+ http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package aws
+
+import "testing"
+
+func TestGetSourceAcctAndArn(t *testing.T) {
+ type args struct {
+ roleARN string
+ }
+ tests := []struct {
+ name string
+ args args
+ want string
+ wantErr bool
+ }{
+ {
+ name: "corect role arn",
+ args: args{
+ roleARN: "arn:aws:iam::123456789876:role/test-cluster",
+ },
+ want: "123456789876",
+ wantErr: false,
+ },
+ {
+ name: "incorect role arn",
+ args: args{
+ roleARN: "arn:aws:iam::123456789876",
+ },
+ want: "",
+ wantErr: true,
+ },
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ got, err := getSourceAccount(tt.args.roleARN)
+ if (err != nil) != tt.wantErr {
+ t.Errorf("getSourceAccount() error = %v, wantErr %v", err, tt.wantErr)
+ return
+ }
+ if got != tt.want {
+ t.Errorf("getSourceAccount() got = %v, want %v", got, tt.want)
+ }
+ })
+ }
+}
diff --git a/vendor/github.com/aws/aws-sdk-go/aws/arn/arn.go b/vendor/github.com/aws/aws-sdk-go/aws/arn/arn.go
new file mode 100644
index 00000000000..1c496742903
--- /dev/null
+++ b/vendor/github.com/aws/aws-sdk-go/aws/arn/arn.go
@@ -0,0 +1,93 @@
+// Package arn provides a parser for interacting with Amazon Resource Names.
+package arn
+
+import (
+ "errors"
+ "strings"
+)
+
+const (
+ arnDelimiter = ":"
+ arnSections = 6
+ arnPrefix = "arn:"
+
+ // zero-indexed
+ sectionPartition = 1
+ sectionService = 2
+ sectionRegion = 3
+ sectionAccountID = 4
+ sectionResource = 5
+
+ // errors
+ invalidPrefix = "arn: invalid prefix"
+ invalidSections = "arn: not enough sections"
+)
+
+// ARN captures the individual fields of an Amazon Resource Name.
+// See http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html for more information.
+type ARN struct {
+ // The partition that the resource is in. For standard AWS regions, the partition is "aws". If you have resources in
+ // other partitions, the partition is "aws-partitionname". For example, the partition for resources in the China
+ // (Beijing) region is "aws-cn".
+ Partition string
+
+ // The service namespace that identifies the AWS product (for example, Amazon S3, IAM, or Amazon RDS). For a list of
+ // namespaces, see
+ // http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces.
+ Service string
+
+ // The region the resource resides in. Note that the ARNs for some resources do not require a region, so this
+ // component might be omitted.
+ Region string
+
+ // The ID of the AWS account that owns the resource, without the hyphens. For example, 123456789012. Note that the
+ // ARNs for some resources don't require an account number, so this component might be omitted.
+ AccountID string
+
+ // The content of this part of the ARN varies by service. It often includes an indicator of the type of resource —
+ // for example, an IAM user or Amazon RDS database - followed by a slash (/) or a colon (:), followed by the
+ // resource name itself. Some services allows paths for resource names, as described in
+ // http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arns-paths.
+ Resource string
+}
+
+// Parse parses an ARN into its constituent parts.
+//
+// Some example ARNs:
+// arn:aws:elasticbeanstalk:us-east-1:123456789012:environment/My App/MyEnvironment
+// arn:aws:iam::123456789012:user/David
+// arn:aws:rds:eu-west-1:123456789012:db:mysql-db
+// arn:aws:s3:::my_corporate_bucket/exampleobject.png
+func Parse(arn string) (ARN, error) {
+ if !strings.HasPrefix(arn, arnPrefix) {
+ return ARN{}, errors.New(invalidPrefix)
+ }
+ sections := strings.SplitN(arn, arnDelimiter, arnSections)
+ if len(sections) != arnSections {
+ return ARN{}, errors.New(invalidSections)
+ }
+ return ARN{
+ Partition: sections[sectionPartition],
+ Service: sections[sectionService],
+ Region: sections[sectionRegion],
+ AccountID: sections[sectionAccountID],
+ Resource: sections[sectionResource],
+ }, nil
+}
+
+// IsARN returns whether the given string is an ARN by looking for
+// whether the string starts with "arn:" and contains the correct number
+// of sections delimited by colons(:).
+func IsARN(arn string) bool {
+ return strings.HasPrefix(arn, arnPrefix) && strings.Count(arn, ":") >= arnSections-1
+}
+
+// String returns the canonical representation of the ARN
+func (arn ARN) String() string {
+ return arnPrefix +
+ arn.Partition + arnDelimiter +
+ arn.Service + arnDelimiter +
+ arn.Region + arnDelimiter +
+ arn.AccountID + arnDelimiter +
+ arn.Resource
+}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index e39aeaae133..15de67fee97 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -116,6 +116,7 @@ github.com/asaskevich/govalidator
# github.com/aws/aws-sdk-go v1.54.6 => github.com/aws/aws-sdk-go v1.54.6
## explicit; go 1.19
github.com/aws/aws-sdk-go/aws
+github.com/aws/aws-sdk-go/aws/arn
github.com/aws/aws-sdk-go/aws/auth/bearer
github.com/aws/aws-sdk-go/aws/awserr
github.com/aws/aws-sdk-go/aws/awsutil
Loading
Loading