-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v0.11] Changes to minimize exposure to security issues #93
[v0.11] Changes to minimize exposure to security issues #93
Conversation
* cmd/agent/main.go * Static code analysis states that unsanitized usage of the `--component-port` flag can potentially lead to SSRF. In practice, this may be very hard to happen, given that the source of the flag is always an integer (taken from `containerPort` of a Pod). Anyways, this is switching that flag to an Integer to be on the safe side (and to prevent the warning from the static code analysis tool). * python/kserve * Run `poetry update`. * The main reason of the upgrade is [a recent fix to the MSAL library](AzureAD/microsoft-authentication-library-for-python@3427c25) to escape an unsafe string. * As an aside, this also moves away from [CVE-202-4807](https://www.cve.org/CVERecord?id=CVE-2023-4807), which is only applicable to Windows 64 platforms. Additionally, this adds some more resiliency to openshift-ci runs. Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com>
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: israel-hdez The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Looks like this is also good for upstream. why don't you send this pr to upstream? |
# of configuration changes, leading to waitpodready to fail sometimes. | ||
# Let's sleep 2minutes to let the KNative operator to stabilize the installation before | ||
# checking for the readiness of KNative stack. | ||
sleep 120 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why don't use a more accurate way to check if the pod is ready?
something like oc wait
or this kind of script
This is an example
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The waitpodready
function that is used on the following lines is using oc wait
.
The problem is that oc wait
fails if the deployment is restarted or a new version is rolled out, while waiting. So, it is a race condition; i.e. if oc wait
is invoked before a new rollout, it will be watching the older pods and it will fail because those older pods will be terminated (oc wait
will complain that the older pods can no longer be found).
The sleep is to try to prevent such race condition.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, as mentioned in the comment, the sleep is to let the KNative operator to stabilize, and be done with new rollouts. It is not the goal to wait for the pods to become ready.
It is there: kserve#3157 |
/lgtm |
Ignoring CI failure for python 3.11 - it is a known issue in our fork Merging. |
4f93edd
into
opendatahub-io:release-v0.11.0
--component-port
flag can potentially lead to SSRF. In practice, this may be very hard to happen, given that the source of the flag is always an integer (taken fromcontainerPort
of a Pod). Anyways, this is switching that flag to an Integer to be on the safe side (and to prevent the warning from the static code analysis tool).poetry update
.Additionally, this adds some more resiliency to openshift-ci runs.
Fixes #91
Testing instructions
A simple sanity check should be OK.
Checkout this PR:
git clone https://github.com/opendatahub-io/kserve.git && cd kserve
git fetch origin pull/93/merge:pr-93
git checkout pr-93
On a clean OpenShift cluster, and given you have the code of this PR checked out:
test/scripts/openshift-ci/deploy.ossm.sh
test/scripts/openshift-ci/deploy.serverless.sh
If you get a reply, it should all be running OK.
Notes
If you approve this PR, please, also approve #94