Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disallow local loopback for volume hosts #97934

Merged
merged 1 commit into from
Jan 27, 2021
Merged

Disallow local loopback for volume hosts #97934

merged 1 commit into from
Jan 27, 2021

Conversation

mattcary
Copy link
Contributor

/kind bug

What this PR does / why we need it:
This is another part of the fix for #91542

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Mitigate CVE-2020-8555 for kube-up using GCE by preventing local loopback folume hosts.

/cc @liggitt @msau42
/sig storage

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. sig/storage Categorizes an issue or PR as relevant to SIG Storage. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. area/provider/gcp Issues or PRs related to gcp provider sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. labels Jan 11, 2021
@msau42
Copy link
Member

msau42 commented Jan 11, 2021

/lgtm
/assign @cheftako

similar change should be made to cloud-provider-gcp

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 11, 2021
@mattcary mattcary mentioned this pull request Jan 12, 2021
Merged
@liggitt
Copy link
Member

liggitt commented Jan 21, 2021

anything else blocking this?

@msau42
Copy link
Member

msau42 commented Jan 21, 2021

Nope, just needs approval

@liggitt
Copy link
Member

liggitt commented Jan 21, 2021

ack, will let walter tag

@cheftako
Copy link
Member

/lgtm
/approve

@cheftako
Copy link
Member

/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 25, 2021
@cheftako
Copy link
Member

/priority important-soon

@k8s-ci-robot k8s-ci-robot added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Jan 25, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cheftako, mattcary

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jan 25, 2021
@mattcary
Copy link
Contributor Author

/retest

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

3 similar comments
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@liggitt
Copy link
Member

liggitt commented Jan 26, 2021

Dynamic Provisioning [k8s.io] GlusterDynamicProvisioner should create and delete persistent volumes test is failing ... is this relevant?

@liggitt
Copy link
Member

liggitt commented Jan 26, 2021

/hold

https://prow.k8s.io/pr-history/?org=kubernetes&repo=kubernetes&pr=97934 shows consistent failure on this test

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 26, 2021
@liggitt
Copy link
Member

liggitt commented Jan 26, 2021

seen in the controller manager log:

glusterfs.go:838] failed to create volume: Post "http://10.64.3.127:8081/volumes": lookup 10.64.3.127:8081: no such host

@mattcary
Copy link
Contributor Author

mattcary commented Jan 26, 2021 via email

@liggitt
Copy link
Member

liggitt commented Jan 26, 2021

if I'm reading the filtered proxy dialer correctly, I don't actually see how it could be working... DialContext is given a host:port. LookupIPAddr expects just the host. Opened #98436 to fix this (will need to be picked to 1.20)

@liggitt
Copy link
Member

liggitt commented Jan 26, 2021

if you want to rebase this PR on #98436, we can verify that allows the function to work properly

@mattcary
Copy link
Contributor Author

mattcary commented Jan 26, 2021 via email

@liggitt liggitt mentioned this pull request Jan 26, 2021
Merged
@mattcary
Disallow local loopback for volume hosts
9a7dcd3 
Change-Id: Ic356c3f859057153cfad97327f1938792a1a512c
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 27, 2021
@liggitt
Copy link
Member

liggitt commented Jan 27, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 27, 2021
@liggitt
Copy link
Member

liggitt commented Jan 27, 2021

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 27, 2021
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

1 similar comment
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@k8s-ci-robot k8s-ci-robot merged commit de4d771 into kubernetes:master Jan 27, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.21 milestone Jan 27, 2021
@github-actions github-actions bot mentioned this pull request Feb 3, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt Awaiting requested review from liggitt

@msau42 msau42 Awaiting requested review from msau42

Assignees

@cheftako cheftako

@liggitt liggitt

@msau42 msau42

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/provider/gcp Issues or PRs related to gcp provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. sig/storage Categorizes an issue or PR as relevant to SIG Storage. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.21
Development

Successfully merging this pull request may close these issues.
6 participants
@mattcary @msau42 @liggitt @cheftako @k8s-ci-robot @fejta-bot