Merge pull request #148 from krunalhinguu/v1.27-july-patch-2024

[release v1.27] k8s v1.27.16

.go-version

@@ -1 +1 @@
-1.21.11
+1.22.5

build/build-image/cross/VERSION

@@ -1 +1 @@
-v1.27.0-go1.21.11-bullseye.0
+v1.27.0-go1.22.5-bullseye.0

build/common.sh

@@ -95,8 +95,8 @@ readonly KUBE_RSYNC_PORT="${KUBE_RSYNC_PORT:-}"
 readonly KUBE_CONTAINER_RSYNC_PORT=8730
 
 # These are the default versions (image tags) for their respective base images.
-readonly __default_distroless_iptables_version=v0.4.9
-readonly __default_go_runner_version=v2.3.1-go1.21.11-bullseye.0
+readonly __default_distroless_iptables_version=v0.5.6
+readonly __default_go_runner_version=v2.3.1-go1.22.5-bookworm.0
 readonly __default_setcap_version=bullseye-v1.4.2
 
 # These are the base images for the Docker-wrapped binaries.

build/dependencies.yaml

@@ -95,7 +95,7 @@ dependencies:
 
   # Golang
   - name: "golang: upstream version"
-    version: 1.21.11
+    version: 1.22.5
     refPaths:
     - path: .go-version
     - path: build/build-image/cross/VERSION
@@ -110,15 +110,15 @@ dependencies:
   # This entry is a stub of the major version to allow dependency checks to
   # pass when building Kubernetes using a pre-release of Golang.
   - name: "golang: 1.<major>"
-    version: 1.21
+    version: 1.22
     refPaths:
     - path: build/build-image/cross/VERSION
     # TODO: drop or update the min go in the .sh file
     # - path: hack/lib/golang.sh
     #   match: minimum_go_version=go([0-9]+\.[0-9]+)
 
   - name: "registry.k8s.io/kube-cross: dependents"
-    version: v1.27.0-go1.21.11-bullseye.0
+    version: v1.27.0-go1.22.5-bullseye.0
     refPaths:
     - path: build/build-image/cross/VERSION
 
@@ -140,15 +140,15 @@ dependencies:
       match: BASE_IMAGE_VERSION\?=
 
   - name: "registry.k8s.io/distroless-iptables: dependents"
-    version: v0.4.9
+    version: v0.5.6
     refPaths:
     - path: build/common.sh
       match: __default_distroless_iptables_version=
     - path: test/utils/image/manifest.go
       match: configs\[DistrolessIptables\] = Config{list\.BuildImageRegistry, "distroless-iptables", "v([0-9]+)\.([0-9]+)\.([0-9]+)"}
 
   - name: "registry.k8s.io/go-runner: dependents"
-    version: v2.3.1-go1.21.11-bullseye.0
+    version: v2.3.1-go1.22.5-bookworm.0
     refPaths:
     - path: build/common.sh
       match: __default_go_runner_version=

pkg/kubelet/kubelet.go

@@ -37,7 +37,7 @@ import (
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
 	"k8s.io/client-go/informers"
-
+	utilfs "k8s.io/kubernetes/pkg/util/filesystem"
 	"k8s.io/mount-utils"
 	"k8s.io/utils/integer"
 	netutils "k8s.io/utils/net"
@@ -1342,17 +1342,17 @@ func (kl *Kubelet) setupDataDirs() error {
 	if err := os.MkdirAll(kl.getPodsDir(), 0750); err != nil {
 		return fmt.Errorf("error creating pods directory: %v", err)
 	}
-	if err := os.MkdirAll(kl.getPluginsDir(), 0750); err != nil {
+	if err := utilfs.MkdirAll(kl.getPluginsDir(), 0750); err != nil {
 		return fmt.Errorf("error creating plugins directory: %v", err)
 	}
-	if err := os.MkdirAll(kl.getPluginsRegistrationDir(), 0750); err != nil {
+	if err := utilfs.MkdirAll(kl.getPluginsRegistrationDir(), 0750); err != nil {
 		return fmt.Errorf("error creating plugins registry directory: %v", err)
 	}
 	if err := os.MkdirAll(kl.getPodResourcesDir(), 0750); err != nil {
 		return fmt.Errorf("error creating podresources directory: %v", err)
 	}
 	if utilfeature.DefaultFeatureGate.Enabled(features.ContainerCheckpoint) {
-		if err := os.MkdirAll(kl.getCheckpointsDir(), 0700); err != nil {
+		if err := utilfs.MkdirAll(kl.getCheckpointsDir(), 0700); err != nil {
 			return fmt.Errorf("error creating checkpoint directory: %v", err)
 		}
 	}
@@ -1442,6 +1442,14 @@ func (kl *Kubelet) initializeModules() error {
 		}
 	}
 
+	if sysruntime.GOOS == "windows" {
+		// On Windows we should not allow other users to read the logs directory
+		// to avoid allowing non-root containers from reading the logs of other containers.
+		if err := utilfs.Chmod(ContainerLogsDir, 0750); err != nil {
+			return fmt.Errorf("failed to set permissions on directory %q: %w", ContainerLogsDir, err)
+		}
+	}
+
 	// Start the image manager.
 	kl.imageManager.Start()
 

pkg/kubelet/kuberuntime/kuberuntime_manager.go

@@ -22,6 +22,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 	"sort"
 	"time"
 
@@ -64,6 +65,7 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/util/cache"
 	"k8s.io/kubernetes/pkg/kubelet/util/format"
 	sc "k8s.io/kubernetes/pkg/securitycontext"
+	utilfs "k8s.io/kubernetes/pkg/util/filesystem"
 )
 
 const (
@@ -266,6 +268,14 @@ func NewKubeGenericRuntimeManager(
 		if err := osInterface.MkdirAll(podLogsRootDirectory, 0755); err != nil {
 			klog.ErrorS(err, "Failed to create pod log directory", "path", podLogsRootDirectory)
 		}
+
+		if runtime.GOOS == "windows" {
+			// On Windows we should not allow other users to read the logs directory
+			// to avoid allowing non-root containers from reading the logs of other pods.
+			if err := utilfs.Chmod(podLogsRootDirectory, 0750); err != nil {
+				klog.ErrorS(err, "Failed to set permissions on pod log directory", "path", podLogsRootDirectory)
+			}
+		}
 	}
 
 	if imageCredentialProviderConfigFile != "" || imageCredentialProviderBinDir != "" {

pkg/util/filesystem/defaultfs.go

@@ -70,9 +70,8 @@ func (fs *DefaultFs) Rename(oldpath, newpath string) error {
 	return os.Rename(oldpath, newpath)
 }
 
-// MkdirAll via os.MkdirAll
 func (fs *DefaultFs) MkdirAll(path string, perm os.FileMode) error {
-	return os.MkdirAll(fs.prefix(path), perm)
+	return MkdirAll(fs.prefix(path), perm)
 }
 
 // Chtimes via os.Chtimes

pkg/util/filesystem/util_unix.go

@@ -0,0 +1,34 @@
+//go:build freebsd || linux || darwin
+// +build freebsd linux darwin
+
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package filesystem
+
+import (
+	"os"
+)
+
+// Chmod is the same as os.Chmod on Linux.
+func Chmod(name string, mode os.FileMode) error {
+	return os.Chmod(name, mode)
+}
+
+// MkdirAll is the same as os.MkdirAll on Linux.
+func MkdirAll(path string, perm os.FileMode) error {
+	return os.MkdirAll(path, perm)
+}

pkg/util/filesystem/util_windows.go

@@ -0,0 +1,183 @@
+//go:build windows
+// +build windows
+
+/*
+Copyright 2023 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package filesystem
+
+import (
+	"fmt"
+	"os"
+
+	"k8s.io/klog/v2"
+
+	"golang.org/x/sys/windows"
+)
+
+// On Windows os.Mkdir all doesn't set any permissions so call the Chown function below to set
+// permissions once the directory is created.
+func MkdirAll(path string, perm os.FileMode) error {
+	klog.V(6).InfoS("Function MkdirAll starts", "path", path, "perm", perm)
+	err := os.MkdirAll(path, perm)
+	if err != nil {
+		return fmt.Errorf("Error creating directory %s: %v", path, err)
+	}
+
+	err = Chmod(path, perm)
+	if err != nil {
+		return fmt.Errorf("Error setting permissions for directory %s: %v", path, err)
+	}
+
+	return nil
+}
+
+const (
+	// These aren't defined in the syscall package for Windows :(
+	USER_READ      = 0x100
+	USER_WRITE     = 0x80
+	USER_EXECUTE   = 0x40
+	GROUP_READ     = 0x20
+	GROUP_WRITE    = 0x10
+	GROUP_EXECUTE  = 0x8
+	OTHERS_READ    = 0x4
+	OTHERS_WRITE   = 0x2
+	OTHERS_EXECUTE = 0x1
+	USER_ALL       = USER_READ | USER_WRITE | USER_EXECUTE
+	GROUP_ALL      = GROUP_READ | GROUP_WRITE | GROUP_EXECUTE
+	OTHERS_ALL     = OTHERS_READ | OTHERS_WRITE | OTHERS_EXECUTE
+)
+
+// On Windows os.Chmod only sets the read-only flag on files, so we need to use Windows APIs to set the desired access on files / directories.
+// The OWNER mode will set file permissions for the file owner SID, the GROUP mode will set file permissions for the file group SID,
+// and the OTHERS mode will set file permissions for BUILTIN\Users.
+// Please note that Windows containers can be run as one of two user accounts; ContainerUser or ContainerAdministrator.
+// Containers run as ContainerAdministrator will inherit permissions from BUILTIN\Administrators,
+// while containers run as ContainerUser will inherit permissions from BUILTIN\Users.
+// Windows containers do not have the ability to run as a custom user account that is known to the host so the OTHERS group mode
+// is used to grant / deny permissions of files on the hosts to the ContainerUser account.
+func Chmod(path string, filemode os.FileMode) error {
+	klog.V(6).InfoS("Function Chmod starts", "path", path, "filemode", filemode)
+	// Get security descriptor for the file
+	sd, err := windows.GetNamedSecurityInfo(
+		path,
+		windows.SE_FILE_OBJECT,
+		windows.DACL_SECURITY_INFORMATION|windows.PROTECTED_DACL_SECURITY_INFORMATION|windows.OWNER_SECURITY_INFORMATION|windows.GROUP_SECURITY_INFORMATION)
+	if err != nil {
+		return fmt.Errorf("Error getting security descriptor for file %s: %v", path, err)
+	}
+
+	// Get owner SID from the security descriptor for assigning USER permissions
+	owner, _, err := sd.Owner()
+	if err != nil {
+		return fmt.Errorf("Error getting owner SID for file %s: %v", path, err)
+	}
+	ownerString := owner.String()
+
+	// Get the group SID from the security descriptor for assigning GROUP permissions
+	group, _, err := sd.Group()
+	if err != nil {
+		return fmt.Errorf("Error getting group SID for file %s: %v", path, err)
+	}
+	groupString := group.String()
+
+	mask := uint32(windows.ACCESS_MASK(filemode))
+
+	// Build a new Discretionary Access Control List (DACL) with the desired permissions using
+	//the Security Descriptor Definition Language (SDDL) format.
+	// https://learn.microsoft.com/windows/win32/secauthz/security-descriptor-definition-language
+	// the DACL is a list of Access Control Entries (ACEs) where each ACE represents the permissions (Allow or Deny) for a specific SID.
+	// Each ACE has the following format:
+	//  (AceType;AceFlags;Rights;ObjectGuid;InheritObjectGuid;AccountSid)
+	// We can leave ObjectGuid and InheritObjectGuid empty for our purposes.
+
+	dacl := "D:"
+
+	// build the owner ACE
+	dacl += "(A;OICI;"
+	if mask&USER_ALL == USER_ALL {
+		dacl += "FA"
+	} else {
+		if mask&USER_READ == USER_READ {
+			dacl += "FR"
+		}
+		if mask&USER_WRITE == USER_WRITE {
+			dacl += "FW"
+		}
+		if mask&USER_EXECUTE == USER_EXECUTE {
+			dacl += "FX"
+		}
+	}
+	dacl += ";;;" + ownerString + ")"
+
+	// Build the group ACE
+	dacl += "(A;OICI;"
+	if mask&GROUP_ALL == GROUP_ALL {
+		dacl += "FA"
+	} else {
+		if mask&GROUP_READ == GROUP_READ {
+			dacl += "FR"
+		}
+		if mask&GROUP_WRITE == GROUP_WRITE {
+			dacl += "FW"
+		}
+		if mask&GROUP_EXECUTE == GROUP_EXECUTE {
+			dacl += "FX"
+		}
+	}
+	dacl += ";;;" + groupString + ")"
+
+	// Build the others ACE
+	dacl += "(A;OICI;"
+	if mask&OTHERS_ALL == OTHERS_ALL {
+		dacl += "FA"
+	} else {
+		if mask&OTHERS_READ == OTHERS_READ {
+			dacl += "FR"
+		}
+		if mask&OTHERS_WRITE == OTHERS_WRITE {
+			dacl += "FW"
+		}
+		if mask&OTHERS_EXECUTE == OTHERS_EXECUTE {
+			dacl += "FX"
+		}
+	}
+	dacl += ";;;BU)"
+
+	klog.V(6).InfoS("Setting new DACL for path", "path", path, "dacl", dacl)
+
+	// create a new security descriptor from the DACL string
+	newSD, err := windows.SecurityDescriptorFromString(dacl)
+	if err != nil {
+		return fmt.Errorf("Error creating new security descriptor from DACL string: %v", err)
+	}
+
+	// get the DACL in binary format from the newly created security descriptor
+	newDACL, _, err := newSD.DACL()
+	if err != nil {
+		return fmt.Errorf("Error getting DACL from new security descriptor: %v", err)
+	}
+
+	// Write the new security descriptor to the file
+	return windows.SetNamedSecurityInfo(
+		path,
+		windows.SE_FILE_OBJECT,
+		windows.DACL_SECURITY_INFORMATION|windows.PROTECTED_DACL_SECURITY_INFORMATION,
+		nil, // owner SID
+		nil, // group SID
+		newDACL,
+		nil) // SACL
+}