filter_kubernetes: Adjust cleanup ordering to avoid use-after-free [4.2 backport]

[ShelbyZ]

Backport of : #11440

---

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

• [N/A] Example configuration file for the change
• [N/A] Debug log output from testing the change

• [N/A] Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

• [N/A] Run local packaging test showing all targets (including any new ones) build.
• [N/A] Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

• [N/A] Documentation required for this feature

Backporting

• [N/A] Backport to latest stable release.

---

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

• Bug Fixes
  • Fixed resource cleanup ordering in the Kubernetes plugin to ensure proper destruction sequence.

[coderabbitai]

📝 Walkthrough

Walkthrough

The change reorders the destruction sequence of Kubernetes pod association resources in the cleanup function. The AWS TLS association is moved to be destroyed after the upstream association instead of before, addressing a potential use-after-free condition.

Changes

Cohort / File(s)	Summary
Kubernetes Filter Cleanup plugins/filter_kubernetes/kube_conf.c	Reordered destruction of aws_pod_association_tls to occur after aws_pod_association_upstream in the flb_kube_conf_destroy function to prevent use-after-free.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• filter_kubernetes: Adjust cleanup ordering to avoid use-after-free #11440: Directly addresses the same use-after-free vulnerability by reordering TLS destruction in the Kubernetes filter cleanup function.

Suggested labels

backport to v4.2.x

Suggested reviewers

• edsiper
• cosmo0920

Poem

🐰 A hop and a flip, resources align,
TLS now waits for upstream's fine line,
No freed-twice trouble in cleanup's way,
Order matters—hooray, hooray! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: reordering cleanup operations in filter_kubernetes to prevent use-after-free bugs.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}