fabric8io / fluent-plugin-kubernetes_metadata_filter

Enrich your fluentd events with Kubernetes metadata
Apache License 2.0
351 stars 166 forks source link

Bump kubeclient from 4.9.2 to 4.9.3 #330

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 2 years ago

Bumps kubeclient from 4.9.2 to 4.9.3.

Changelog

Sourced from kubeclient's changelog.

4.9.3 — 2021-03-23

Fixed

  • VULNERABILITY FIX: Previously, whenever kubeconfig did not define custom CA (normal situation for production clusters with public domain and certificate!), Config was returning ssl_options[:verify_ssl] hard-coded to VERIFY_NONE :-(

    Assuming you passed those ssl_options to Kubeclient::Client, this means that instead of checking server's certificate against your system CA store, it would accept ANY certificate, allowing easy man-in-the middle attacks.

    This is especially dangerous with user/password or token credentials because MITM attacker could simply steal those credentials to the cluster and do anything you could do on the cluster.

    This was broken IN ALL RELEASES MADE BEFORE 2022, ever since Kubeclient::Config was created.

    #554.

  • Bug fix: kubeconfig insecure-skip-tls-verify field was ignored. When kubeconfig did define custom CA, Config was returning hard-coded VERIFY_PEER.

    Now we honor it, return VERIFY_NONE iff kubeconfig has explicit insecure-skip-tls-verify: true, otherwise VERIFY_PEER.

    #555.

  • Config: fixed parsing of certificate-authority file containing concatenation of several certificates. Previously, server's cert was checked against only first CA cert, resulting in possible "certificate verify failed" errors.

    An important use case is a chain of root & intermediate cert(s) - necessary when cluster's CA itself is signed by another custom CA. But also helps when you simply concatenate independent certs. (#461, #552)

    • Still broken (#460): inline certificate-authority-data is still parsed using add_cert method that handles only one cert.

These don't affect code that supplies Client parameters directly, only code that uses Config.

Commits
  • c27893f Merge pull request #558 from cben/release-4.9.3
  • d7bc03d Bump kubeclient to 4.9.3
  • 109ea71 Merge pull request #556 from cben/v4.y-security-config-ssl_verify
  • e4cb727 CHANGELOG and README about Config verify_ssl vulnerability
  • aa36e89 SECURITY: integration tests for Config+Client verify_ssl with real cluster
  • c21e2b5 SECURITY: unit tests for Kubeclient::Config handling of ssl_options[:verify_ssl]
  • 5086eb8 Merge branch 'ancient-security-config-ssl_verify'
  • f61a4e1 Merge tag 'v4.6.0' into ancient-security-config-ssl_verify
  • 88483cf SECURITY: Kubeclient::Config: return ssl_options[:verify_ssl] correctly
  • e05c715 Merge pull request #552 from cben/v4.y-openssl-x509-store-add-file
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/fabric8io/fluent-plugin-kubernetes_metadata_filter/network/alerts).