Patch k8scsi sidecars CVE-2019-11255

[jnaulty]

Updated container image versions that have resolve the CVE according to
kubernetes/kubernetes/issues/85233

Is this a bug fix or adding new feature?
Bug Fix

What is this PR about? / Why do we need it?
Fixes #411
For CVE-2019-11255: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation.

What testing is done?

• make verify
• make test

[k8s-ci-robot]

Welcome @jnaulty!

It looks like this is your first PR to kubernetes-sigs/aws-ebs-csi-driver 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/aws-ebs-csi-driver has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @jnaulty. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[coveralls]

Pull Request Test Coverage Report for Build 989

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 70.706%

---

Totals
Change from base Build 978:	0.0%
Covered Lines:	1231
Relevant Lines:	1741

---

💛 - Coveralls

[jnaulty]

/assign @bertinatto

[bertinatto]

/ok-to-test

[jnaulty]

/test pull-aws-ebs-csi-driver-e2e-single-az

[jnaulty]

I think the e2e test pull-aws-ebs-csi-driver-e2e-single-az might be a flaky test, I see the same failed test in a PR that changes just a markdown file #414 (comment)

[bertinatto]

/retest

[jnaulty]

/retest

[jnaulty]

@bertinatto
it seems to be consistently failing with this test:

[ebs-csi-e2e] [single-az] Snapshot
/home/prow/go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/tests/e2e/dynamic_provisioning.go:407
  should create a pod, write and read to it, take a volume snapshot, and create another pod from the snapshot [It]
  /home/prow/go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/tests/e2e/dynamic_provisioning.go:428

Is there any documented process for running the e2e tests on an existing cluster that has the new aws-ebs-csi driver installed?
I want to get logs from the provisioning container.

Update
taking a look at test-e2e-single-az makefile target

[leakingtapan]

@jnaulty Since external-resizer is impacted too, could you update it to v0.3.0 as well?

[leakingtapan]

Is there any documented process for running the e2e tests on an existing cluster that has the new aws-ebs-csi driver installed?

If you have a cluster created already, you could also follow steps here to run the test cases directly

[leakingtapan]

/retest

[leakingtapan]

I tested ur change manually @jnaulty one snapshot failure is due to:

E0108 23:22:30.299139       1 goroutinemap.go:150] Operation for "create-default/ebs-volume-snapshot[7a6d9d53-404e-40f0-98d8-e1873b459a9d]" failed. No retries permitted until 2020-01-08 23:24:32.299113892 +0000 UTC m=+963.204607650 (durationBeforeRetry 2m2s). Error: "snapshot controller failed to update default/ebs-volume-snapshot on API server: volumesnapshots.snapshot.storage.k8s.io \"ebs-volume-snapshot\" is forbidden: User \"system:serviceaccount:kube-system:ebs-csi-controller-sa\" cannot update resource \"volumesnapshots/status\" in API group \"snapshot.storage.k8s.io\" in the namespace \"default\""

This is because the new RBAC policy required for 1.2 snapshotter here for updating volumesnapshots/status:

  - apiGroups: ["snapshot.storage.k8s.io"]
    resources: ["volumesnapshots/status"]
    verbs: ["update"]

Could you add this into ur PR in the rbac policy for snapshotter here?

[leakingtapan]

Given the above issue, please check other two sidecars RBAC policy as well to make sure they are up to date with for the given version.

[jnaulty]

Given the above issue, please check other two sidecars RBAC policy as well to make sure they are up to date with for the given version.

Thanks for the suggestion. Will do.

Checking:

• external-resizer rbac: https://github.com/kubernetes-csi/external-resizer/blob/v0.3.0/deploy/kubernetes/rbac.yaml
• external-snapshotter: https://github.com/kubernetes-csi/external-snapshotter/blob/release-1.2/deploy/kubernetes/rbac.yaml#L47-L49
• external-provisioner: https://github.com/kubernetes-csi/external-provisioner/tree/v1.3.1

[jnaulty]

@leakingtapan
I'm not quite sure where the external-provisioner rbac policy is added for the aws-ebs-csi-driver.

I see it is using this rbac policy: https://github.com/kubernetes-csi/external-provisioner/blob/v1.3.1/deploy/kubernetes/rbac.yaml
but I don't see how it gets used by the aws-ebs-csi-driver.

[leakingtapan]

Here is the rbac for kustomize: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/deploy/kubernetes/base/rbac.yaml

You might want to update the rbac for helm manifest as well. It’s challenging to keep them in sync now. Manually Updating both side is what I do :P

[jnaulty]

Looks like there is an issue with the test-runner

W0121 17:38:56.643973   15281 executor.go:130] error running task "VPC/test-cluster-6952.k8s.local" (47s remaining to succeed): error creating VPC: VpcLimitExceeded: The maximum number of VPCs has been reached.
	status code: 400, request id: 512602ff-c28b-443f-993e-8eafd14227eb
I0121 17:38:56.644009   15281 executor.go:145] No progress made, sleeping before retrying 1 failed task(s)
I0121 17:39:06.644169   15281 executor.go:103] Tasks: 62 done / 95 total; 1 can run
W0121 17:39:07.067279   15281 executor.go:130] error running task "VPC/test-cluster-6952.k8s.local" (37s remaining to succeed): error creating VPC: VpcLimitExceeded: The maximum number of VPCs has been reached.
	status code: 400, request id: 45f00dd7-f227-4cb8-85d1-6282e55739f0
I0121 17:39:07.067319   15281 executor.go:145] No progress made, sleeping before retrying 1 failed task(s)

https://prow.k8s.io/view/gcs/kubernetes-jenkins/pr-logs/pull/kubernetes-sigs_aws-ebs-csi-driver/413/pull-aws-ebs-csi-driver-e2e-single-az/1219670470392025089

[jnaulty]

/retest

[jnaulty]

@leakingtapan
looks like the addition of the RBAC rules helped (despite the temporary issue with VPC creation limit in the test infra).
https://prow.k8s.io/view/gcs/kubernetes-jenkins/pr-logs/pull/kubernetes-sigs_aws-ebs-csi-driver/413/pull-aws-ebs-csi-driver-e2e-single-az/1219684562875977729

I'll squash down to a single commit

[jnaulty]

/test pull-aws-ebs-csi-driver-e2e-single-az

[leakingtapan]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jnaulty, leakingtapan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [leakingtapan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment