Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Configuration]Support bearer tokens in cluster #10

Merged
merged 1 commit into from
Apr 15, 2020
Merged

[Configuration]Support bearer tokens in cluster #10

merged 1 commit into from
Apr 15, 2020

Conversation

ityuhui
Copy link
Member

@ityuhui ityuhui commented Apr 11, 2020

Load bearer tokens and CA file inside cluster.

/cc @brendandburns

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Apr 11, 2020
@brendandburns
Copy link
Contributor

Thanks for doing this PR, I added some comments.

@ityuhui
Copy link
Member Author

ityuhui commented Apr 14, 2020

Thank you @brendandburns

I have updated the code.

brendandburns
brendandburns reviewed Apr 14, 2020
View reviewed changes
kubernetes/config/incluster_config.c Outdated
{
static char fname[] = "setBasePathInCluster()";

const char *service_host_env = getenv(SERVICE_HOST_ENV_NAME);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should switch to secure_getenv see the recommendations here:

https://www.gnu.org/software/libc/manual/html_node/Environment-Access.html

"General-purpose libraries should always prefer this function over getenv to avoid vulnerabilities if the library is referenced from a SUID/SGID program."

Copy link
Member Author

@ityuhui ityuhui Apr 15, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's OK. I have upated it. And I add

#define _GNU_SOURCE

to the source code because it is required by the function secure_getenv (http://man7.org/linux/man-pages/man3/getenv.3.html)

"Feature Test Macro Requirements for glibc (see feature_test_macros(7)):
secure_getenv(): _GNU_SOURCE“

If _GNU_SOURCE is not defined, my example program will core-dump.

141             kubeconfig_env = secure_getenv(ENV_KUBECONFIG);
(gdb)
142             if (kubeconfig_env) {
(gdb) p kubeconfig_env
$1 = 0x0
(gdb) n
145                 homedir_env = secure_getenv(ENV_HOME);
(gdb) n
146                 if (homedir_env) {
(gdb) p homedir_env
$2 = 0xffffffffffffe9d1 <error: Cannot access memory at address 0xffffffffffffe9d1>
(gdb) n
147                     configFileName = calloc(strlen(homedir_env) + strlen(KUBE_CONFIG_DEFAULT_LOCATION) + 1, sizeof(char));
(gdb) s
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:52
52      ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
(gdb) n
53      in ../sysdeps/x86_64/multiarch/strlen-avx2.S
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:62
62      in ../sysdeps/x86_64/multiarch/strlen-avx2.S

@brendandburns
Copy link
Contributor

Sorry one more comment on secure_getenv vs getenv then I think this is ready to merge.

@ityuhui
Copy link
Member Author

ityuhui commented Apr 15, 2020

Thank you @brendandburns ! The code is updated.

@brendandburns
Copy link
Contributor

brendandburns commented Apr 15, 2020 via email

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 15, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brendandburns, ityuhui

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [brendandburns,ityuhui]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit b49f357 into kubernetes-client:master Apr 15, 2020
@ityuhui ityuhui deleted the yhinclusterconfig branch April 16, 2020 02:17
@ityuhui ityuhui mentioned this pull request Apr 16, 2020
Closed
@clearday4 clearday4 mentioned this pull request Mar 19, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brendandburns brendandburns brendandburns left review comments

Assignees

@brendandburns brendandburns

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ityuhui @brendandburns @k8s-ci-robot