Merge pull request #473 from nixpanic/bug/DFBUGS-1614

DFBUGS-1614: CVE-2025-0426 cephcsi-container: node denial of service via kubelet checkpoint API
red-hat-storage · Feb 18, 2025 · 5f2922d · 5f2922d
2 parents 79eb51d + aa3236d
commit 5f2922d
Show file tree

Hide file tree

Showing 37 changed files with 527 additions and 188 deletions.
diff --git a/deploy/cephcsi/image/Dockerfile b/deploy/cephcsi/image/Dockerfile
@@ -12,8 +12,10 @@ RUN sed -i 's|^mirrorlist=|#mirrorlist=|g' /etc/yum.repos.d/*.repo && \
 # TODO: remove the following cmd, when issues
 # https://github.com/ceph/ceph-container/issues/2034
 # https://github.com/ceph/ceph-container/issues/2141 are fixed.
-RUN dnf config-manager --disable \
-    tcmu-runner,tcmu-runner-source,tcmu-runner-noarch,ceph-iscsi,ganesha || true
+RUN true \
+    && dnf -y reinstall https://download.ceph.com/rpm-${CEPH_VERSION}/el9/noarch/ceph-release-1-1.el9.noarch.rpm \
+    && ( dnf config-manager --disable tcmu-runner,tcmu-runner-source,tcmu-runner-noarch,ceph-iscsi,ganesha || true ) \
+    && true
 
 RUN mkdir /etc/selinux || true && touch /etc/selinux/config
 

diff --git a/go.mod b/go.mod
@@ -33,14 +33,14 @@ require (
 	//
 	// when updating k8s.io/kubernetes, make sure to update the replace section too
 	//
-	k8s.io/api v0.30.3
-	k8s.io/apimachinery v0.30.3
+	k8s.io/api v0.30.10
+	k8s.io/apimachinery v0.30.10
 	k8s.io/client-go v12.0.0+incompatible
-	k8s.io/cloud-provider v0.30.3
+	k8s.io/cloud-provider v0.30.10
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kubernetes v1.30.3
-	k8s.io/mount-utils v0.30.3
-	k8s.io/pod-security-admission v0.30.3
+	k8s.io/kubernetes v1.30.10
+	k8s.io/mount-utils v0.30.10
+	k8s.io/pod-security-admission v0.30.10
 	k8s.io/utils v0.0.0-20230726121419-3b25d923346b
 	sigs.k8s.io/controller-runtime v0.18.4
 )
@@ -172,11 +172,11 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/apiextensions-apiserver v0.30.1 // indirect
-	k8s.io/apiserver v0.30.3 // indirect
-	k8s.io/component-base v0.30.3 // indirect
-	k8s.io/component-helpers v0.30.3 // indirect
-	k8s.io/controller-manager v0.30.3 // indirect
-	k8s.io/kms v0.30.3 // indirect
+	k8s.io/apiserver v0.30.10 // indirect
+	k8s.io/component-base v0.30.10 // indirect
+	k8s.io/component-helpers v0.30.10 // indirect
+	k8s.io/controller-manager v0.30.10 // indirect
+	k8s.io/kms v0.30.10 // indirect
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
 	k8s.io/kubectl v0.0.0 // indirect
 	k8s.io/kubelet v0.0.0 // indirect
@@ -204,35 +204,35 @@ replace (
 	//
 	// k8s.io/kubernetes depends on these k8s.io packages, but unversioned
 	//
-	k8s.io/api => k8s.io/api v0.30.3
-	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.30.3
-	k8s.io/apimachinery => k8s.io/apimachinery v0.30.3
-	k8s.io/apiserver => k8s.io/apiserver v0.30.3
-	k8s.io/cli-runtime => k8s.io/cli-runtime v0.30.3
-	k8s.io/client-go => k8s.io/client-go v0.30.3
-	k8s.io/cloud-provider => k8s.io/cloud-provider v0.30.3
-	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.30.3
-	k8s.io/code-generator => k8s.io/code-generator v0.30.3
-	k8s.io/component-base => k8s.io/component-base v0.30.3
-	k8s.io/component-helpers => k8s.io/component-helpers v0.30.3
-	k8s.io/controller-manager => k8s.io/controller-manager v0.30.3
-	k8s.io/cri-api => k8s.io/cri-api v0.30.3
-	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.30.3
-	k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.30.3
-	k8s.io/endpointslice => k8s.io/endpointslice v0.30.3
-	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.30.3
-	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.30.3
-	k8s.io/kube-proxy => k8s.io/kube-proxy v0.30.3
-	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.30.3
-	k8s.io/kubectl => k8s.io/kubectl v0.30.3
-	k8s.io/kubelet => k8s.io/kubelet v0.30.3
-	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.3
-	k8s.io/metrics => k8s.io/metrics v0.30.3
+	k8s.io/api => k8s.io/api v0.30.10
+	k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.30.10
+	k8s.io/apimachinery => k8s.io/apimachinery v0.30.10
+	k8s.io/apiserver => k8s.io/apiserver v0.30.10
+	k8s.io/cli-runtime => k8s.io/cli-runtime v0.30.10
+	k8s.io/client-go => k8s.io/client-go v0.30.10
+	k8s.io/cloud-provider => k8s.io/cloud-provider v0.30.10
+	k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.30.10
+	k8s.io/code-generator => k8s.io/code-generator v0.30.10
+	k8s.io/component-base => k8s.io/component-base v0.30.10
+	k8s.io/component-helpers => k8s.io/component-helpers v0.30.10
+	k8s.io/controller-manager => k8s.io/controller-manager v0.30.10
+	k8s.io/cri-api => k8s.io/cri-api v0.30.10
+	k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.30.10
+	k8s.io/dynamic-resource-allocation => k8s.io/dynamic-resource-allocation v0.30.10
+	k8s.io/endpointslice => k8s.io/endpointslice v0.30.10
+	k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.30.10
+	k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.30.10
+	k8s.io/kube-proxy => k8s.io/kube-proxy v0.30.10
+	k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.30.10
+	k8s.io/kubectl => k8s.io/kubectl v0.30.10
+	k8s.io/kubelet => k8s.io/kubelet v0.30.10
+	k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.30.10
+	k8s.io/metrics => k8s.io/metrics v0.30.10
 
 	// TODO: replace with latest once https://github.com/ceph/ceph-csi/issues/4633 is fixed
 	k8s.io/mount-utils => k8s.io/mount-utils v0.29.3
-	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.30.3
-	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.30.3
+	k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.30.10
+	k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.30.10
 	// layeh.com seems to be misbehaving
 	layeh.com/radius => github.com/layeh/radius v0.0.0-20190322222518-890bc1058917
 )

diff --git a/go.sum b/go.sum
@@ -2553,27 +2553,27 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.1.3/go.mod h1:NgwopIslSNH47DimFoV78dnkksY2EFtX0ajyb3K/las=
-k8s.io/api v0.30.3 h1:ImHwK9DCsPA9uoU3rVh4QHAHHK5dTSv1nxJUapx8hoQ=
-k8s.io/api v0.30.3/go.mod h1:GPc8jlzoe5JG3pb0KJCSLX5oAFIW3/qNJITlDj8BH04=
-k8s.io/apiextensions-apiserver v0.30.3 h1:oChu5li2vsZHx2IvnGP3ah8Nj3KyqG3kRSaKmijhB9U=
-k8s.io/apiextensions-apiserver v0.30.3/go.mod h1:uhXxYDkMAvl6CJw4lrDN4CPbONkF3+XL9cacCT44kV4=
-k8s.io/apimachinery v0.30.3 h1:q1laaWCmrszyQuSQCfNB8cFgCuDAoPszKY4ucAjDwHc=
-k8s.io/apimachinery v0.30.3/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
-k8s.io/apiserver v0.30.3 h1:QZJndA9k2MjFqpnyYv/PH+9PE0SHhx3hBho4X0vE65g=
-k8s.io/apiserver v0.30.3/go.mod h1:6Oa88y1CZqnzetd2JdepO0UXzQX4ZnOekx2/PtEjrOg=
-k8s.io/client-go v0.30.3 h1:bHrJu3xQZNXIi8/MoxYtZBBWQQXwy16zqJwloXXfD3k=
-k8s.io/client-go v0.30.3/go.mod h1:8d4pf8vYu665/kUbsxWAQ/JDBNWqfFeZnvFiVdmx89U=
-k8s.io/cloud-provider v0.30.3 h1:SNWZmllTymOTzIPJuhtZH6il/qVi75dQARRQAm9k6VY=
-k8s.io/cloud-provider v0.30.3/go.mod h1:Ax0AVdHnM7tMYnJH1Ycy4SMBD98+4zA+tboUR9eYsY8=
-k8s.io/code-generator v0.30.3/go.mod h1:PFgBiv+miFV7TZYp+RXgROkhA+sWYZ+mtpbMLofMke8=
-k8s.io/component-base v0.30.3 h1:Ci0UqKWf4oiwy8hr1+E3dsnliKnkMLZMVbWzeorlk7s=
-k8s.io/component-base v0.30.3/go.mod h1:C1SshT3rGPCuNtBs14RmVD2xW0EhRSeLvBh7AGk1quA=
-k8s.io/component-helpers v0.30.3 h1:KPc8l0eGx9Wg2OcKc58k9ozNcVcOInAi3NGiuS2xJ/c=
-k8s.io/component-helpers v0.30.3/go.mod h1:VOQ7g3q+YbKWwKeACG2BwPv4ftaN8jXYJ5U3xpzuYAE=
-k8s.io/controller-manager v0.30.3 h1:QRFGkWWD5gi/KCSU0qxyUoZRbt+BKgiCUXiTD1RO95w=
-k8s.io/controller-manager v0.30.3/go.mod h1:F95rjHCOH2WwV9XlVxRo71CtddKLhF3FzE+s1lc7E/0=
-k8s.io/csi-translation-lib v0.30.3 h1:wBaPWnOi14/vANRIrp8pmbdx/Pgz2QRcroH7wkodezc=
-k8s.io/csi-translation-lib v0.30.3/go.mod h1:3AizNZbDttVDH1RO0x1yGEQP74e9Xbfb60IBP1oWO1o=
+k8s.io/api v0.30.10 h1:2YvzRF/BELgCvxbQqFKaan5hnj2+y7JOuqu2WpVk3gg=
+k8s.io/api v0.30.10/go.mod h1:Hyz3ZuK7jVLJBUFvwzDSGwxHuDdsrGs5RzF16wfHIn4=
+k8s.io/apiextensions-apiserver v0.30.10 h1:Im5wWRzf0L4URt08K41e+Uh2bqkHN8rWH8+gk6+8/wY=
+k8s.io/apiextensions-apiserver v0.30.10/go.mod h1:yGWw2UU3WFGLYQjVEs/dgY57U3hNFv1SiT8PrONFZPA=
+k8s.io/apimachinery v0.30.10 h1:UflKuJeSSArttm05wjYP0GwpTlvjnMbDKFn6F7rKkKU=
+k8s.io/apimachinery v0.30.10/go.mod h1:iexa2somDaxdnj7bha06bhb43Zpa6eWH8N8dbqVjTUc=
+k8s.io/apiserver v0.30.10 h1:ozSFhvzw/lauRFFs1auniIoHNVa2hjjkN0/7OYGlfME=
+k8s.io/apiserver v0.30.10/go.mod h1:lJtWYEWEDLkQ1zCLFQrjLQ0X19TlXyaa56K92C1a+f4=
+k8s.io/client-go v0.30.10 h1:C0oWM82QMvosIl/IdJhWfTUb7rIxM52rNSutFBknAVY=
+k8s.io/client-go v0.30.10/go.mod h1:OfTvt0yuo8VpMViOsgvYQb+tMJQLNWVBqXWkzdFXSq4=
+k8s.io/cloud-provider v0.30.10 h1:irijCPElYtcA6rVuwBtn8LlNR13CY8ewfMnJ4foPOTg=
+k8s.io/cloud-provider v0.30.10/go.mod h1:OWNfg4OCbSe/BNQe9e1seODtfdAp1BTxR/ZkknxHfGA=
+k8s.io/code-generator v0.30.10/go.mod h1:b5HvR9KGVjQOK1fbnZfP/FL4Qe3Zox5CfXJ5Wp7tqQo=
+k8s.io/component-base v0.30.10 h1:UJi0vTnTvtwWnVHcQeV1hzansnvTSKzFfMxtYAa8/GY=
+k8s.io/component-base v0.30.10/go.mod h1:q+6CkRDb/JOlqEpDzmuprysj4R/b/zzQO5vVBRynYQA=
+k8s.io/component-helpers v0.30.10 h1:julw9dAWv4vybIbSE/eksTqJrE609LJjyn7V9O1x19c=
+k8s.io/component-helpers v0.30.10/go.mod h1:3ID/1BxSX2ML5CLe1KdXitA7SYeSCrz0MXkPcP7M88A=
+k8s.io/controller-manager v0.30.10 h1:yEOaypLMR5d3IfwbFhISUfgsXj0kW+ind+XcKjQYe2w=
+k8s.io/controller-manager v0.30.10/go.mod h1:HCHIK96kf9/jhCfOE64MpTWjSOQtc4QLtvgBDKapXcg=
+k8s.io/csi-translation-lib v0.30.10 h1:/Etnsm6rJveijZYjyQHwblh8s3YW2SUyj2TvUZHvAtE=
+k8s.io/csi-translation-lib v0.30.10/go.mod h1:4UIc8sXk0Pp0U2kJdxIxmY9rEN7sIuyYjIK7tY74CLs=
 k8s.io/gengo v0.0.0-20210813121822-485abfe95c7c/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E=
 k8s.io/gengo/v2 v2.0.0-20240228010128-51d4e06bde70/go.mod h1:VH3AT8AaQOqiGjMF9p0/IM1Dj+82ZwjfxUP1IxaHE+8=
 k8s.io/klog v0.3.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk=
@@ -2584,22 +2584,22 @@ k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kms v0.30.3 h1:NLg+oN45S2Y3U0WiLRzbS61AY/XrS5JBMZp531Z+Pho=
-k8s.io/kms v0.30.3/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4=
+k8s.io/kms v0.30.10 h1:VaoJHFouvS4hGZ1Djusoc9HOksh/02uEspV0Mfy0I/Q=
+k8s.io/kms v0.30.10/go.mod h1:GrMurD0qk3G4yNgGcsCEmepqf9KyyIrTXYR2lyUOJC4=
 k8s.io/kube-openapi v0.0.0-20180731170545-e3762e86a74c/go.mod h1:BXM9ceUBTj2QnfH2MK1odQs778ajze1RxcmP6S8RVVc=
 k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280/go.mod h1:+Axhij7bCpeqhklhUTe3xmOn6bWxolyZEeyaFpjGtl4=
 k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 h1:BZqlfIlq5YbRMFko6/PM7FjZpUb45WallggurYhKGag=
 k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340/go.mod h1:yD4MZYeKMBwQKVht279WycxKyM84kkAx2DPrTXaeb98=
-k8s.io/kubectl v0.30.3 h1:YIBBvMdTW0xcDpmrOBzcpUVsn+zOgjMYIu7kAq+yqiI=
-k8s.io/kubectl v0.30.3/go.mod h1:IcR0I9RN2+zzTRUa1BzZCm4oM0NLOawE6RzlDvd1Fpo=
-k8s.io/kubelet v0.30.3 h1:KvGWDdhzD0vEyDyGTCjsDc8D+0+lwRMw3fJbfQgF7ys=
-k8s.io/kubelet v0.30.3/go.mod h1:D9or45Vkzcqg55CEiqZ8dVbwP3Ksj7DruEVRS9oq3Ys=
-k8s.io/kubernetes v1.30.3 h1:A0qoXI1YQNzrQZiff33y5zWxYHFT/HeZRK98/sRDJI0=
-k8s.io/kubernetes v1.30.3/go.mod h1:yPbIk3MhmhGigX62FLJm+CphNtjxqCvAIFQXup6RKS0=
+k8s.io/kubectl v0.30.10 h1:d/dsbA/JARUcL5wvRGqnjEvsBv7ageTj08PUCIcHwpE=
+k8s.io/kubectl v0.30.10/go.mod h1:2Okr39i+LHeK4QinNqy+IGivw8PCUcXIpfSUiZP8Llk=
+k8s.io/kubelet v0.30.10 h1:R8pQq2XiQdsAJVco/TyZjWFarM5YZ5uK/ckPd+qt5Ck=
+k8s.io/kubelet v0.30.10/go.mod h1:FO8v1212JoblFctyW/V3ZvL8S47sjV71RZLrTvtsiJA=
+k8s.io/kubernetes v1.30.10 h1:/x/z+MTfPkKuEjMJwWdRVxNx7xB54GlGWpcFM6KDwZc=
+k8s.io/kubernetes v1.30.10/go.mod h1:DGWYRXHx5NhImLiR9FvIVBsOKxwKZOX6bPF/YP7TqHY=
 k8s.io/mount-utils v0.29.3 h1:iEcqPP7Vv8UClH8nnMfovtmy/04fIloRW9JuSXykoZ0=
 k8s.io/mount-utils v0.29.3/go.mod h1:9IWJTMe8tG0MYMLEp60xK9GYVeCdA3g4LowmnVi+t9Y=
-k8s.io/pod-security-admission v0.30.3 h1:UDGZWR3ry/XrN/Ki/w7qrp49OwgQsKyh+6xWbexvJi8=
-k8s.io/pod-security-admission v0.30.3/go.mod h1:T1EQSOLl9YyDMnXNJfsq2jeci6uoymY0mrRkkKihd98=
+k8s.io/pod-security-admission v0.30.10 h1:0LPfv9pvZ6XzDY2xkQlPpE3IBxP8RtCdXNtXsFfrt8k=
+k8s.io/pod-security-admission v0.30.10/go.mod h1:BXfCHNKujtBm/YYoyrr5Na1GyVbidV0o/pK5F64WhZM=
 k8s.io/utils v0.0.0-20190506122338-8fab8cb257d5/go.mod h1:sZAwmy6armz5eXlNoLmJcl4F1QuKu7sr+mFQ0byX7Ew=
 k8s.io/utils v0.0.0-20210802155522-efc7438f0176/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=

diff --git a/scripts/Dockerfile.devel b/scripts/Dockerfile.devel
@@ -25,8 +25,10 @@ RUN source /build.env \
 # TODO: remove the following cmd, when issues
 # https://github.com/ceph/ceph-container/issues/2034
 # https://github.com/ceph/ceph-container/issues/2141 are fixed.
-RUN dnf config-manager --disable \
-    tcmu-runner,tcmu-runner-source,tcmu-runner-noarch,ceph-iscsi,ganesha || true
+RUN true \
+    && dnf -y reinstall https://download.ceph.com/rpm-${CEPH_VERSION}/el9/noarch/ceph-release-1-1.el9.noarch.rpm \
+    && ( dnf config-manager --disable tcmu-runner,tcmu-runner-source,tcmu-runner-noarch,ceph-iscsi,ganesha || true ) \
+    && true
 
 RUN mkdir /etc/selinux || true && touch /etc/selinux/config