VULNERABILITY FIX: Previously, whenever kubeconfig did not define custom CA
(normal situation for production clusters with public domain and certificate!),
Config was returning ssl_options[:verify_ssl] hard-coded to VERIFY_NONE :-(
Assuming you passed those ssl_options to Kubeclient::Client, this means that
instead of checking server's certificate against your system CA store,
it would accept ANY certificate, allowing easy man-in-the middle attacks.
This is especially dangerous with user/password or token credentials
because MITM attacker could simply steal those credentials to the cluster
and do anything you could do on the cluster.
Config: fixed parsing of certificate-authority file containing concatenation of
several certificates. Previously, server's cert was checked against only first CA cert,
resulting in possible "certificate verify failed" errors.
An important use case is a chain of root & intermediate cert(s) - necessary when cluster's CA
itself is signed by another custom CA.
But also helps when you simply concatenate independent certs. (#461, #552)
Still broken (#460): inline certificate-authority-data is still parsed using add_cert
method that handles only one cert.
These don't affect code that supplies Client parameters directly,
only code that uses Config.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/flant/loghouse/network/alerts).
Bumps kubeclient from 4.6.0 to 4.9.3.
Changelog
Sourced from kubeclient's changelog.
... (truncated)
Commits
c27893fMerge pull request #558 from cben/release-4.9.3d7bc03dBump kubeclient to 4.9.3109ea71Merge pull request #556 from cben/v4.y-security-config-ssl_verifye4cb727CHANGELOG and README about Config verify_ssl vulnerabilityaa36e89SECURITY: integration tests for Config+Client verify_ssl with real clusterc21e2b5SECURITY: unit tests for Kubeclient::Config handling of ssl_options[:verify_ssl]5086eb8Merge branch 'ancient-security-config-ssl_verify'f61a4e1Merge tag 'v4.6.0' into ancient-security-config-ssl_verify88483cfSECURITY: Kubeclient::Config: return ssl_options[:verify_ssl] correctlye05c715Merge pull request #552 from cben/v4.y-openssl-x509-store-add-fileDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/flant/loghouse/network/alerts).