mirror of
https://gerrit.hackerspace.pl/hscloud
synced 2025-01-15 20:03:54 +00:00
cluster/kube: bump nginx-ingress-controller, backport openssl 1.1.1k
This fixes CVE-2021-3450 and CVE-2021-3449. Deployed on prod: $ kubectl -n nginx-system exec nginx-ingress-controller-5c69c5cb59-2f8v4 -- openssl version OpenSSL 1.1.1k 25 Mar 2021 Change-Id: I7115fd2367cca7b687c555deb2134b22d19a291a
This commit is contained in:
parent
1632aaee04
commit
2e8d24b84a
3 changed files with 74 additions and 7 deletions
7
cluster/kube/k0-nginx-ingress-controller.jsonnet
Normal file
7
cluster/kube/k0-nginx-ingress-controller.jsonnet
Normal file
|
@ -0,0 +1,7 @@
|
|||
// Only the NGINX Ingress Controller.
|
||||
|
||||
local k0 = (import "k0.libsonnet").k0;
|
||||
|
||||
{
|
||||
nginx: k0.cluster.nginx,
|
||||
}
|
7
cluster/kube/lib/nginx-ingress-controller/Dockerfile
Normal file
7
cluster/kube/lib/nginx-ingress-controller/Dockerfile
Normal file
|
@ -0,0 +1,7 @@
|
|||
# Temporary bump up to openssl 1.1.1k.
|
||||
# TODO(q3k): remove this once 1.1.1k lands in upstream n-i-c.
|
||||
|
||||
FROM k8s.gcr.io/ingress-nginx/controller:v0.44.0@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a
|
||||
USER root
|
||||
RUN apk update && apk upgrade
|
||||
USER www-data
|
|
@ -8,7 +8,20 @@ local policies = import "../../../kube/policies.libsonnet";
|
|||
local env = self,
|
||||
local cfg = env.cfg,
|
||||
cfg:: {
|
||||
image: "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0",
|
||||
# Built from nginx-ingress-controller/Dockerfile:
|
||||
#
|
||||
# $ cd cluster/kube/lib/nginx-ingress-controller
|
||||
# $ docker build -t eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1 .
|
||||
# [..]
|
||||
# (2/8) Upgrading libcrypto1.1 (1.1.1i-r0 -> 1.1.1k-r0)
|
||||
# (3/8) Upgrading libssl1.1 (1.1.1i-r0 -> 1.1.1k-r0
|
||||
# [...]
|
||||
# (8/8) Upgrading openssl (1.1.1i-r0 -> 1.1.1k-r0)
|
||||
# $ docker push eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1
|
||||
#
|
||||
# TODO(q3k): unfork this once openssl 1.1.1k lands in upstream
|
||||
# nginx-ingress-controller.
|
||||
image: "eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1",
|
||||
namespace: "nginx-system",
|
||||
},
|
||||
|
||||
|
@ -62,7 +75,7 @@ local policies = import "../../../kube/policies.libsonnet";
|
|||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["extensions"],
|
||||
apiGroups: ["extensions", "networking.k8s.io"],
|
||||
resources: ["ingresses"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
|
@ -72,10 +85,15 @@ local policies = import "../../../kube/policies.libsonnet";
|
|||
verbs: ["create", "patch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["extensions"],
|
||||
apiGroups: ["extensions", "networking.k8s.io"],
|
||||
resources: ["ingresses/status"],
|
||||
verbs: ["update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["extensions", "networking.k8s.io"],
|
||||
resources: ["ingressclasses"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
],
|
||||
},
|
||||
|
||||
|
@ -102,9 +120,34 @@ local policies = import "../../../kube/policies.libsonnet";
|
|||
rules : [
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["configmaps", "pods", "secrets", "namespaces"],
|
||||
resources: ["namespaces"],
|
||||
verbs: ["get"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["configmaps", "pods", "secrets", "endpoints"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["services"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["extensions", "networking.k8s.io"],
|
||||
resources: ["ingresses"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["extensions", "networking.k8s.io"],
|
||||
resources: ["ingresses/status"],
|
||||
verbs: ["update"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["extensions", "networking.k8s.io"],
|
||||
resources: ["ingressclasses"],
|
||||
verbs: ["get", "list", "watch"],
|
||||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["configmaps"],
|
||||
|
@ -118,8 +161,8 @@ local policies = import "../../../kube/policies.libsonnet";
|
|||
},
|
||||
{
|
||||
apiGroups: [""],
|
||||
resources: ["endpoints"],
|
||||
verbs: ["get"],
|
||||
resources: ["events"],
|
||||
verbs: ["create", "patch"],
|
||||
},
|
||||
],
|
||||
},
|
||||
|
@ -177,8 +220,18 @@ local policies = import "../../../kube/policies.libsonnet";
|
|||
containers_: {
|
||||
controller: kube.Container("nginx-ingress-controller") {
|
||||
image: cfg.image,
|
||||
imagePullPolicy: "IfNotPresent",
|
||||
lifecycle: {
|
||||
preStop: {
|
||||
exec: {
|
||||
command: [ "/wait-shutdown" ],
|
||||
},
|
||||
},
|
||||
},
|
||||
args: [
|
||||
"/nginx-ingress-controller",
|
||||
"--election-id=ingress-controller-leader",
|
||||
"--ingress-class=nginx",
|
||||
"--configmap=%s/%s" % [cfg.namespace, env.maps.configuration.metadata.name],
|
||||
"--tcp-services-configmap=%s/%s" % [cfg.namespace, env.maps.tcp.metadata.name],
|
||||
"--udp-services-configmap=%s/%s" % [cfg.namespace, env.maps.udp.metadata.name],
|
||||
|
@ -222,7 +275,7 @@ local policies = import "../../../kube/policies.libsonnet";
|
|||
drop: ["ALL"],
|
||||
add: ["NET_BIND_SERVICE"],
|
||||
},
|
||||
runAsUser: 33,
|
||||
runAsUser: 101,
|
||||
},
|
||||
resources: {
|
||||
limits: { cpu: "2", memory: "4G" },
|
||||
|
|
Loading…
Reference in a new issue