From 2e8d24b84a52b775a55a68efcff1b9af66c3ed75 Mon Sep 17 00:00:00 2001 From: Serge Bazanski Date: Thu, 25 Mar 2021 18:39:52 +0100 Subject: [PATCH] cluster/kube: bump nginx-ingress-controller, backport openssl 1.1.1k This fixes CVE-2021-3450 and CVE-2021-3449. Deployed on prod: $ kubectl -n nginx-system exec nginx-ingress-controller-5c69c5cb59-2f8v4 -- openssl version OpenSSL 1.1.1k 25 Mar 2021 Change-Id: I7115fd2367cca7b687c555deb2134b22d19a291a --- .../kube/k0-nginx-ingress-controller.jsonnet | 7 ++ .../lib/nginx-ingress-controller/Dockerfile | 7 ++ cluster/kube/lib/nginx.libsonnet | 67 +++++++++++++++++-- 3 files changed, 74 insertions(+), 7 deletions(-) create mode 100644 cluster/kube/k0-nginx-ingress-controller.jsonnet create mode 100644 cluster/kube/lib/nginx-ingress-controller/Dockerfile diff --git a/cluster/kube/k0-nginx-ingress-controller.jsonnet b/cluster/kube/k0-nginx-ingress-controller.jsonnet new file mode 100644 index 00000000..a3a608e5 --- /dev/null +++ b/cluster/kube/k0-nginx-ingress-controller.jsonnet @@ -0,0 +1,7 @@ +// Only the NGINX Ingress Controller. + +local k0 = (import "k0.libsonnet").k0; + +{ + nginx: k0.cluster.nginx, +} diff --git a/cluster/kube/lib/nginx-ingress-controller/Dockerfile b/cluster/kube/lib/nginx-ingress-controller/Dockerfile new file mode 100644 index 00000000..95553873 --- /dev/null +++ b/cluster/kube/lib/nginx-ingress-controller/Dockerfile @@ -0,0 +1,7 @@ +# Temporary bump up to openssl 1.1.1k. +# TODO(q3k): remove this once 1.1.1k lands in upstream n-i-c. + +FROM k8s.gcr.io/ingress-nginx/controller:v0.44.0@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a +USER root +RUN apk update && apk upgrade +USER www-data diff --git a/cluster/kube/lib/nginx.libsonnet b/cluster/kube/lib/nginx.libsonnet index 510f8515..02422dc7 100644 --- a/cluster/kube/lib/nginx.libsonnet +++ b/cluster/kube/lib/nginx.libsonnet @@ -8,7 +8,20 @@ local policies = import "../../../kube/policies.libsonnet"; local env = self, local cfg = env.cfg, cfg:: { - image: "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0", + # Built from nginx-ingress-controller/Dockerfile: + # + # $ cd cluster/kube/lib/nginx-ingress-controller + # $ docker build -t eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1 . + # [..] + # (2/8) Upgrading libcrypto1.1 (1.1.1i-r0 -> 1.1.1k-r0) + # (3/8) Upgrading libssl1.1 (1.1.1i-r0 -> 1.1.1k-r0 + # [...] + # (8/8) Upgrading openssl (1.1.1i-r0 -> 1.1.1k-r0) + # $ docker push eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1 + # + # TODO(q3k): unfork this once openssl 1.1.1k lands in upstream + # nginx-ingress-controller. + image: "eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1", namespace: "nginx-system", }, @@ -62,7 +75,7 @@ local policies = import "../../../kube/policies.libsonnet"; verbs: ["get", "list", "watch"], }, { - apiGroups: ["extensions"], + apiGroups: ["extensions", "networking.k8s.io"], resources: ["ingresses"], verbs: ["get", "list", "watch"], }, @@ -72,10 +85,15 @@ local policies = import "../../../kube/policies.libsonnet"; verbs: ["create", "patch"], }, { - apiGroups: ["extensions"], + apiGroups: ["extensions", "networking.k8s.io"], resources: ["ingresses/status"], verbs: ["update"], }, + { + apiGroups: ["extensions", "networking.k8s.io"], + resources: ["ingressclasses"], + verbs: ["get", "list", "watch"], + }, ], }, @@ -102,9 +120,34 @@ local policies = import "../../../kube/policies.libsonnet"; rules : [ { apiGroups: [""], - resources: ["configmaps", "pods", "secrets", "namespaces"], + resources: ["namespaces"], verbs: ["get"], }, + { + apiGroups: [""], + resources: ["configmaps", "pods", "secrets", "endpoints"], + verbs: ["get", "list", "watch"], + }, + { + apiGroups: [""], + resources: ["services"], + verbs: ["get", "list", "watch"], + }, + { + apiGroups: ["extensions", "networking.k8s.io"], + resources: ["ingresses"], + verbs: ["get", "list", "watch"], + }, + { + apiGroups: ["extensions", "networking.k8s.io"], + resources: ["ingresses/status"], + verbs: ["update"], + }, + { + apiGroups: ["extensions", "networking.k8s.io"], + resources: ["ingressclasses"], + verbs: ["get", "list", "watch"], + }, { apiGroups: [""], resources: ["configmaps"], @@ -118,8 +161,8 @@ local policies = import "../../../kube/policies.libsonnet"; }, { apiGroups: [""], - resources: ["endpoints"], - verbs: ["get"], + resources: ["events"], + verbs: ["create", "patch"], }, ], }, @@ -177,8 +220,18 @@ local policies = import "../../../kube/policies.libsonnet"; containers_: { controller: kube.Container("nginx-ingress-controller") { image: cfg.image, + imagePullPolicy: "IfNotPresent", + lifecycle: { + preStop: { + exec: { + command: [ "/wait-shutdown" ], + }, + }, + }, args: [ "/nginx-ingress-controller", + "--election-id=ingress-controller-leader", + "--ingress-class=nginx", "--configmap=%s/%s" % [cfg.namespace, env.maps.configuration.metadata.name], "--tcp-services-configmap=%s/%s" % [cfg.namespace, env.maps.tcp.metadata.name], "--udp-services-configmap=%s/%s" % [cfg.namespace, env.maps.udp.metadata.name], @@ -222,7 +275,7 @@ local policies = import "../../../kube/policies.libsonnet"; drop: ["ALL"], add: ["NET_BIND_SERVICE"], }, - runAsUser: 33, + runAsUser: 101, }, resources: { limits: { cpu: "2", memory: "4G" },