hswaw
/
hscloud
mirror of https://gerrit.hackerspace.pl/hscloud
4
0
Fork 2
Code Actions

cluster/kube: bump nginx-ingress-controller, backport openssl 1.1.1k 

This fixes CVE-2021-3450 and CVE-2021-3449.

Deployed on prod:

$ kubectl -n nginx-system exec nginx-ingress-controller-5c69c5cb59-2f8v4 -- openssl version
OpenSSL 1.1.1k  25 Mar 2021

Change-Id: I7115fd2367cca7b687c555deb2134b22d19a291a
changes/83/883/2
q3k 2021-03-25 18:39:52 +01:00
parent 1632aaee04
commit 2e8d24b84a
3 changed files with 74 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
cluster/kube/k0-nginx-ingress-controller.jsonnet Normal file
View File

@ -0,0 +1,7 @@
// Only the NGINX Ingress Controller.
local k0 = (import "k0.libsonnet").k0;
{
nginx: k0.cluster.nginx,
}

7
cluster/kube/lib/nginx-ingress-controller/Dockerfile Normal file
View File

@ -0,0 +1,7 @@
# Temporary bump up to openssl 1.1.1k.
# TODO(q3k): remove this once 1.1.1k lands in upstream n-i-c.
FROM k8s.gcr.io/ingress-nginx/controller:v0.44.0@sha256:3dd0fac48073beaca2d67a78c746c7593f9c575168a17139a9955a82c63c4b9a
USER root
RUN apk update && apk upgrade
USER www-data

67
cluster/kube/lib/nginx.libsonnet
View File

@ -8,7 +8,20 @@ local policies = import "../../../kube/policies.libsonnet";
local env = self, local env = self,
local cfg = env.cfg, local cfg = env.cfg,
cfg:: { cfg:: {
image: "quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.23.0", # Built from nginx-ingress-controller/Dockerfile:
#
# $ cd cluster/kube/lib/nginx-ingress-controller
# $ docker build -t eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1 .
# [..]
# (2/8) Upgrading libcrypto1.1 (1.1.1i-r0 -> 1.1.1k-r0)
# (3/8) Upgrading libssl1.1 (1.1.1i-r0 -> 1.1.1k-r0
# [...]
# (8/8) Upgrading openssl (1.1.1i-r0 -> 1.1.1k-r0)
# $ docker push eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1
#
# TODO(q3k): unfork this once openssl 1.1.1k lands in upstream
# nginx-ingress-controller.
image: "eu.gcr.io/bgpwtf/nginx-ingress-controller:v0.44.0-r1",
namespace: "nginx-system", namespace: "nginx-system",
}, },
@ -62,7 +75,7 @@ local policies = import "../../../kube/policies.libsonnet";
verbs: ["get", "list", "watch"], verbs: ["get", "list", "watch"],
}, },
{ {
apiGroups: ["extensions"], apiGroups: ["extensions", "networking.k8s.io"],
resources: ["ingresses"], resources: ["ingresses"],
verbs: ["get", "list", "watch"], verbs: ["get", "list", "watch"],
}, },
@ -72,10 +85,15 @@ local policies = import "../../../kube/policies.libsonnet";
verbs: ["create", "patch"], verbs: ["create", "patch"],
}, },
{ {
apiGroups: ["extensions"], apiGroups: ["extensions", "networking.k8s.io"],
resources: ["ingresses/status"], resources: ["ingresses/status"],
verbs: ["update"], verbs: ["update"],
}, },
{
apiGroups: ["extensions", "networking.k8s.io"],
resources: ["ingressclasses"],
verbs: ["get", "list", "watch"],
},
], ],
}, },
@ -102,9 +120,34 @@ local policies = import "../../../kube/policies.libsonnet";
rules : [ rules : [
{ {
apiGroups: [""], apiGroups: [""],
resources: ["configmaps", "pods", "secrets", "namespaces"], resources: ["namespaces"],
verbs: ["get"], verbs: ["get"],
}, },
{
apiGroups: [""],
resources: ["configmaps", "pods", "secrets", "endpoints"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["services"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["extensions", "networking.k8s.io"],
resources: ["ingresses"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["extensions", "networking.k8s.io"],
resources: ["ingresses/status"],
verbs: ["update"],
},
{
apiGroups: ["extensions", "networking.k8s.io"],
resources: ["ingressclasses"],
verbs: ["get", "list", "watch"],
},
{ {
apiGroups: [""], apiGroups: [""],
resources: ["configmaps"], resources: ["configmaps"],
@ -118,8 +161,8 @@ local policies = import "../../../kube/policies.libsonnet";
}, },
{ {
apiGroups: [""], apiGroups: [""],
resources: ["endpoints"], resources: ["events"],
verbs: ["get"], verbs: ["create", "patch"],
}, },
], ],
}, },
@ -177,8 +220,18 @@ local policies = import "../../../kube/policies.libsonnet";
containers_: { containers_: {
controller: kube.Container("nginx-ingress-controller") { controller: kube.Container("nginx-ingress-controller") {
image: cfg.image, image: cfg.image,
imagePullPolicy: "IfNotPresent",
lifecycle: {
preStop: {
exec: {
command: [ "/wait-shutdown" ],
},
},
},
args: [ args: [
"/nginx-ingress-controller", "/nginx-ingress-controller",
"--election-id=ingress-controller-leader",
"--ingress-class=nginx",
"--configmap=%s/%s" % [cfg.namespace, env.maps.configuration.metadata.name], "--configmap=%s/%s" % [cfg.namespace, env.maps.configuration.metadata.name],
"--tcp-services-configmap=%s/%s" % [cfg.namespace, env.maps.tcp.metadata.name], "--tcp-services-configmap=%s/%s" % [cfg.namespace, env.maps.tcp.metadata.name],
"--udp-services-configmap=%s/%s" % [cfg.namespace, env.maps.udp.metadata.name], "--udp-services-configmap=%s/%s" % [cfg.namespace, env.maps.udp.metadata.name],
@ -222,7 +275,7 @@ local policies = import "../../../kube/policies.libsonnet";
drop: ["ALL"], drop: ["ALL"],
add: ["NET_BIND_SERVICE"], add: ["NET_BIND_SERVICE"],
}, },
runAsUser: 33, runAsUser: 101,
}, },
resources: { resources: {
limits: { cpu: "2", memory: "4G" }, limits: { cpu: "2", memory: "4G" },