Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE for kube-dns pre k8s 1.6 #3538

Merged
merged 1 commit into from
Oct 6, 2017
Merged

Fix CVE for kube-dns pre k8s 1.6 #3538

merged 1 commit into from
Oct 6, 2017

Conversation

mikesplain
Copy link
Contributor

Additional fix for #3512.

Testing now

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 4, 2017
@k8s-ci-robot
Copy link
Contributor

Hi @mikesplain. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 4, 2017
@mikesplain
Copy link
Contributor Author

/assign @chrislovecnm

@mikesplain
Copy link
Contributor Author

Tested spinning up a 1.5.7 cluster with this change and it's works well. I checked the rest of the containers in the pod and haven't found dnsmasq anywhere else.

@chrislovecnm
Copy link
Contributor

We need someone to validate this. Can someone look at the 1.4 release and 1.5 release manifests in kubernetes/kubernetes?

@mikesplain
Copy link
Contributor Author

mikesplain commented Oct 4, 2017
edited
Loading

Here's the 1.5 manifests for kube-dns included in the release.

kubernetes/kubernetes@f20b1fb

Looks like the identical change we had to make.

1.4 wasn't patched for this but their manifests are here, I believe:

https://github.com/kubernetes/kubernetes/blob/release-1.4/cluster/gce/coreos/kube-manifests/addons/dns/skydns-rc.yaml

@chrislovecnm
Copy link
Contributor

@mikesplain where we on sky dns on 1.4?

@chrislovecnm
Copy link
Contributor

So here is out 1.4 manifest in kops 1.5. https://github.com/kubernetes/kops/blob/release-1.5/upup/models/cloudup/resources/addons/kube-dns.addons.k8s.io/v1.4.0.yaml.template

We where not on sky-dns :) I think we are good, but would be really nice to get a straight answer. We have two options. Merge this now, and make sure we test k8s 1.4.x with alpha before release, or let this PR sit, and make sure that we test k8s 1.4.x with it.

@mikesplain
Copy link
Contributor Author

@chrislovecnm Ahh yes, there it is. I should be able to spin up a 1.4 cluster today and give this a shot.

@chrislovecnm
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot removed the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Oct 6, 2017
@mikesplain
Copy link
Contributor Author

All set, tested a kops 1.7 cluster on 1.4.12 upgrading to kops 1.8 (and this change), no problems. Also tested a fresh kops 1.8 k8s 1.4.12 cluster.

@chrislovecnm
Copy link
Contributor

@mikesplain tested on 1.4.

We will need release notes about the config map issue with the upgrade.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 6, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chrislovecnm

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 6, 2017
@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue.

@k8s-github-robot k8s-github-robot merged commit f42b1f6 into kubernetes:master Oct 6, 2017
@mikesplain mikesplain mentioned this pull request Oct 8, 2017
Merged
4 tasks
@mikesplain mikesplain deleted the fix_kube_dns_pre_1.6 branch October 9, 2017 02:15
k8s-github-robot pushed a commit that referenced this pull request Oct 9, 2017
Merge pull request #3564 from mikesplain/1.7_update_kube-dns
c2566e7 
Automatic merge from submit-queue.

Cherry Pick of 3511: Update kube-dns to 1.14.5 for CVE-2017-14491

Backport of #3511, #3513, #3538 to 1.7.

Testing:

- [x] 1.7.2
- [x] 1.6.6
- [x] 1.5.7
- [x] 1.4.12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@chrislovecnm chrislovecnm

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mikesplain @k8s-ci-robot @chrislovecnm @k8s-github-robot