Skip to content

Commit f9fbe83

Browse files
mars1024mars1024
authored
Merge pull request #395 from hhyasdf/release/v0.8.5
[CHERRY PICK] release for v0.8.5
2 parents 7feb6b8 + ede9c3c commit f9fbe83

File tree

3 files changed

+283
-140
lines changed

3 files changed

+283
-140
lines changed

cmd/webhook/main.go

+53
Original file line numberDiff line numberDiff line change
@@ -17,8 +17,10 @@
1717
package main
1818

1919
import (
20+
"crypto/tls"
2021
"flag"
2122
"os"
23+
"strings"
2224

2325
kubevirtv1 "kubevirt.io/api/core/v1"
2426

@@ -71,12 +73,20 @@ func main() {
7173
var entryLog = ctrllog.Log.WithName("entry")
7274
entryLog.Info("starting hybridnet webhook", "known-features", feature.KnownFeatures(), "commit-id", gitCommit)
7375

76+
tlsCfgFunc := func(cfg *tls.Config) {
77+
cfg.CipherSuites = cipherOrder()
78+
cfg.MinVersion = tls.VersionTLS12
79+
}
80+
7481
// create manager
7582
mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
7683
Scheme: scheme,
7784
LeaderElection: false,
7885
Port: port,
7986
MetricsBindAddress: metricsBindAddress,
87+
TLSOpts: []func(*tls.Config){
88+
tlsCfgFunc,
89+
},
8090
})
8191
if err != nil {
8292
entryLog.Error(err, "unable to start manager")
@@ -96,3 +106,46 @@ func main() {
96106
os.Exit(1)
97107
}
98108
}
109+
110+
// Disable insecure cipher suites for CVE-2016-2183
111+
// cipherOrder returns an ordered list of Ciphers that are considered secure
112+
// Deprecated ciphers are not returned.
113+
func cipherOrder() []uint16 {
114+
var first []uint16
115+
var second []uint16
116+
117+
allowable := func(c *tls.CipherSuite) bool {
118+
// Disallow block ciphers using straight SHA1
119+
// See: https://tools.ietf.org/html/rfc7540#appendix-A
120+
if strings.HasSuffix(c.Name, "CBC_SHA") {
121+
return false
122+
}
123+
// 3DES is considered insecure
124+
if strings.Contains(c.Name, "3DES") {
125+
return false
126+
}
127+
return true
128+
}
129+
130+
for _, c := range tls.CipherSuites() {
131+
for _, v := range c.SupportedVersions {
132+
if v == tls.VersionTLS13 {
133+
first = append(first, c.ID)
134+
}
135+
if v == tls.VersionTLS12 && allowable(c) {
136+
inFirst := false
137+
for _, id := range first {
138+
if c.ID == id {
139+
inFirst = true
140+
break
141+
}
142+
}
143+
if !inFirst {
144+
second = append(second, c.ID)
145+
}
146+
}
147+
}
148+
}
149+
150+
return append(first, second...)
151+
}

go.mod

+47-37
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ require (
1919
github.com/onsi/gomega v1.19.0
2020
github.com/osrg/gobgp/v3 v3.11.0
2121
github.com/parnurzeal/gorequest v0.2.16
22-
github.com/prometheus/client_golang v1.12.1
22+
github.com/prometheus/client_golang v1.12.2
2323
github.com/sirupsen/logrus v1.9.0
2424
github.com/spf13/pflag v1.0.5
2525
github.com/stretchr/testify v1.8.1
@@ -28,43 +28,53 @@ require (
2828
golang.org/x/sys v0.3.0
2929
golang.org/x/time v0.0.0-20220609170525-579cf78fd858
3030
google.golang.org/protobuf v1.28.1
31-
k8s.io/api v0.23.6
32-
k8s.io/apimachinery v0.23.6
33-
k8s.io/apiserver v0.23.6
34-
k8s.io/client-go v0.23.6
35-
k8s.io/component-base v0.23.6
31+
k8s.io/api v0.25.0
32+
k8s.io/apimachinery v0.25.0
33+
k8s.io/apiserver v0.25.0
34+
k8s.io/client-go v0.25.0
35+
k8s.io/component-base v0.25.0
3636
k8s.io/kubernetes v0.0.0-00010101000000-000000000000
37-
k8s.io/utils v0.0.0-20220210201930-3a6ce19ff2f9
37+
k8s.io/utils v0.0.0-20220728103510-ee6ede2d64ed
3838
kubevirt.io/api v0.54.0
3939
sigs.k8s.io/controller-runtime v0.0.0-00010101000000-000000000000
4040
)
4141

4242
require (
43+
github.com/PuerkitoBio/purell v1.1.1 // indirect
44+
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
4345
github.com/beorn7/perks v1.0.1 // indirect
4446
github.com/cespare/xxhash/v2 v2.1.2 // indirect
4547
github.com/davecgh/go-spew v1.1.1 // indirect
4648
github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 // indirect
4749
github.com/eapache/channels v1.1.0 // indirect
4850
github.com/eapache/queue v1.1.0 // indirect
51+
github.com/emicklei/go-restful/v3 v3.8.0 // indirect
4952
github.com/evanphx/json-patch v4.12.0+incompatible // indirect
53+
github.com/evanphx/json-patch/v5 v5.6.0 // indirect
5054
github.com/fsnotify/fsnotify v1.6.0 // indirect
51-
github.com/go-logr/zapr v1.2.0 // indirect
55+
github.com/go-logr/zapr v1.2.3 // indirect
56+
github.com/go-openapi/jsonpointer v0.19.5 // indirect
57+
github.com/go-openapi/jsonreference v0.19.6 // indirect
58+
github.com/go-openapi/swag v0.21.1 // indirect
5259
github.com/gogo/protobuf v1.3.2 // indirect
5360
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
5461
github.com/golang/protobuf v1.5.2 // indirect
62+
github.com/google/gnostic v0.5.7-v3refs // indirect
5563
github.com/google/go-cmp v0.5.9 // indirect
5664
github.com/google/gofuzz v1.1.0 // indirect
5765
github.com/google/uuid v1.3.0 // indirect
58-
github.com/googleapis/gnostic v0.5.5 // indirect
5966
github.com/hashicorp/hcl v1.0.0 // indirect
6067
github.com/imdario/mergo v0.3.12 // indirect
68+
github.com/josharian/intern v1.0.0 // indirect
6169
github.com/json-iterator/go v1.1.12 // indirect
6270
github.com/k-sone/critbitgo v1.4.0 // indirect
6371
github.com/magiconair/properties v1.8.6 // indirect
72+
github.com/mailru/easyjson v0.7.7 // indirect
6473
github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
6574
github.com/mitchellh/mapstructure v1.5.0 // indirect
6675
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
6776
github.com/modern-go/reflect2 v1.0.2 // indirect
77+
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
6878
github.com/nxadm/tail v1.4.8 // indirect
6979
github.com/openshift/custom-resource-status v1.1.2 // indirect
7080
github.com/pborman/uuid v1.2.0 // indirect
@@ -101,47 +111,47 @@ require (
101111
gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
102112
gopkg.in/yaml.v2 v2.4.0 // indirect
103113
gopkg.in/yaml.v3 v3.0.1 // indirect
104-
k8s.io/apiextensions-apiserver v0.23.5 // indirect
114+
k8s.io/apiextensions-apiserver v0.25.0 // indirect
105115
k8s.io/klog/v2 v2.70.1 // indirect
106-
k8s.io/kube-openapi v0.0.0-20220124234850-424119656bbf // indirect
116+
k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
107117
kubevirt.io/containerized-data-importer-api v1.47.0 // indirect
108118
kubevirt.io/controller-lifecycle-operator-sdk/api v0.0.0-20220329064328-f3cc58c6ed90 // indirect
109119
moul.io/http2curl v1.0.0 // indirect
110-
sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
120+
sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
111121
sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
112122
sigs.k8s.io/yaml v1.3.0 // indirect
113123
)
114124

115125
replace k8s.io/kubernetes => k8s.io/kubernetes v1.20.13
116126

117127
replace (
118-
k8s.io/api => k8s.io/api v0.23.6
119-
k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.23.6
120-
k8s.io/apimachinery => k8s.io/apimachinery v0.23.6
121-
k8s.io/apiserver => k8s.io/apiserver v0.23.6
122-
k8s.io/cli-runtime => k8s.io/cli-runtime v0.23.6
123-
k8s.io/client-go => k8s.io/client-go v0.23.6
124-
k8s.io/cloud-provider => k8s.io/cloud-provider v0.23.6
125-
k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.23.6
126-
k8s.io/code-generator => k8s.io/code-generator v0.23.6
127-
k8s.io/component-base => k8s.io/component-base v0.23.6
128-
k8s.io/component-helpers => k8s.io/component-helpers v0.23.6
129-
k8s.io/controller-manager => k8s.io/controller-manager v0.23.6
130-
k8s.io/cri-api => k8s.io/cri-api v0.23.6
131-
k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.23.6
132-
k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.23.6
133-
k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.23.6
134-
k8s.io/kube-proxy => k8s.io/kube-proxy v0.23.6
135-
k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.23.6
136-
k8s.io/kubectl => k8s.io/kubectl v0.23.6
137-
k8s.io/kubelet => k8s.io/kubelet v0.23.6
138-
k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.23.6
139-
k8s.io/metrics => k8s.io/metrics v0.23.6
140-
k8s.io/mount-utils => k8s.io/mount-utils v0.23.6
141-
k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.23.6
128+
k8s.io/api => k8s.io/api v0.25.0
129+
k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.25.0
130+
k8s.io/apimachinery => k8s.io/apimachinery v0.25.0
131+
k8s.io/apiserver => k8s.io/apiserver v0.25.0
132+
k8s.io/cli-runtime => k8s.io/cli-runtime v0.25.0
133+
k8s.io/client-go => k8s.io/client-go v0.25.0
134+
k8s.io/cloud-provider => k8s.io/cloud-provider v0.25.0
135+
k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.25.0
136+
k8s.io/code-generator => k8s.io/code-generator v0.25.0
137+
k8s.io/component-base => k8s.io/component-base v0.25.0
138+
k8s.io/component-helpers => k8s.io/component-helpers v0.25.0
139+
k8s.io/controller-manager => k8s.io/controller-manager v0.25.0
140+
k8s.io/cri-api => k8s.io/cri-api v0.25.0
141+
k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.25.0
142+
k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.25.0
143+
k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.25.0
144+
k8s.io/kube-proxy => k8s.io/kube-proxy v0.25.0
145+
k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.25.0
146+
k8s.io/kubectl => k8s.io/kubectl v0.25.0
147+
k8s.io/kubelet => k8s.io/kubelet v0.25.0
148+
k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.25.0
149+
k8s.io/metrics => k8s.io/metrics v0.25.0
150+
k8s.io/mount-utils => k8s.io/mount-utils v0.25.0
151+
k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.25.0
142152
)
143153

144-
replace sigs.k8s.io/controller-runtime => sigs.k8s.io/controller-runtime v0.11.2
154+
replace sigs.k8s.io/controller-runtime => sigs.k8s.io/controller-runtime v0.13.1
145155

146156
replace github.com/containernetworking/cni => github.com/containernetworking/cni v0.8.1
147157

0 commit comments

Comments
 (0)