manifests/meshnet: sync to hardened drivenets fork v0.5.0-dn#21
Closed
msupinodn wants to merge 1 commit into
Closed
manifests/meshnet: sync to hardened drivenets fork v0.5.0-dn#21msupinodn wants to merge 1 commit into
msupinodn wants to merge 1 commit into
Conversation
Pulls in the meshnet-cni release v0.5.0-dn (msupinodn/meshnet-cni#2): * Image bumped from upstream us-west1-docker.pkg.dev/kne-external/kne/networkop/meshnet:v0.3.2 to public.ecr.aws/drivenets/meshnet-cni:v0.5.0-dn * RBAC narrowed: drop verbs ["*"], pin to actually-exercised verbs on topologies (get/list/watch/update/patch) and gwirekobjs (+create/delete). Adds nodes get/list/watch so the daemon can build the peer-IP allowlist used by validatePeerNodeIP / handler.Get to reject SSRF attempts via tampered topology CR status.src_ip. * Adds explicit cpu limit (2) and aligns memory limits/requests with the meshnet-cni source-of-truth manifests. * Removes hostIPC: true (unused; meshnet relies on hostNetwork + Bidirectional netns mount, not shared IPC). This lets internal docs use the same install URL with drivenets/ in place of openconfig/ and get the hardened version automatically: kubectl apply -f \ https://raw.githubusercontent.com/drivenets/kne/refs/heads/main/manifests/meshnet/grpc/manifest.yaml Co-authored-by: Cursor <cursoragent@cursor.com>
Collaborator
Author
|
Superseded - keeping the meshnet manifest as the single source of truth in msupinodn/meshnet-cni. Install docs will point there instead. |
Collaborator
Author
|
Reopening - keeping the bundled kne meshnet manifest in sync so the drivenets/kne URL also serves the hardened image. |
Coverage Report for CI Build 26436398092Coverage remained the same at 39.473%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsNo coverage regressions found. Coverage Stats
💛 - Coveralls |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Swap the bundled meshnet manifest (grpc + vxlan flavours) from upstream
networkop/meshnet:v0.3.2topublic.ecr.aws/drivenets/meshnet-cni:v0.5.0-dn,the hardened drivenets fork built in msupinodn/meshnet-cni#2.
Carries the matching RBAC narrowing and the new
nodes get/list/watchrulethe daemon needs to build the peer-IP allowlist used by
validatePeerNodeIP.Effect on
kubectl apply -fURLInternal install docs can now use:
i.e. swap
openconfig/->drivenets/in the URL and get the hardenedimage + narrowed RBAC automatically. No other edits needed.
Test plan
v0.3.2 - clean rollout, no RBAC errors, sitea topology comes up with
meshnet-wired links (eno0/eno1) inside both pods.
forbidden/unauthorizedafter RBAC narrowing.sha256:678e2b30...be45d.Made with Cursor