github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #71094 from dekkagaijin/update-concealment 

bump metadata-proxy to v0.1.11, update tests & test image
pull/564/head
Kubernetes Prow Robot 2018-12-17 17:48:40 -08:00 committed by GitHub
parent e2be7c91d9 2a6dd3b854
commit 12be140dcd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 18 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cluster/addons/metadata-proxy/gce/metadata-proxy.yaml
View File

@ -44,7 +44,7 @@ spec:
effect: "NoSchedule"
containers:
- name: metadata-proxy
image: k8s.gcr.io/metadata-proxy:v0.1.10
image: k8s.gcr.io/metadata-proxy:v0.1.11
securityContext:
privileged: true
# Request and limit resources to get guaranteed QoS.

2
test/images/metadata-concealment/VERSION
View File

@ -1 +1 @@
1.1.1
1.2

22
test/images/metadata-concealment/check_metadata_concealment.go
View File

@ -40,9 +40,13 @@ var (
"http://metadata.google.internal/computeMetadata/v1/",
// Service account token endpoints.
"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token",
// Params that contain 'recursive' as substring.
"http://metadata.google.internal/computeMetadata/v1/instance/?nonrecursive=true",
"http://metadata.google.internal/computeMetadata/v1/instance/?something=other&nonrecursive=true",
// Permitted recursive query to SA endpoint.
"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true",
// Known query params.
"http://metadata.google.internal/computeMetadata/v1/instance/tags?alt=text",
"http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=false",
"http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=true&timeout_sec=0",
"http://metadata.google.internal/computeMetadata/v1/instance/tags?wait_for_change=true&last_etag=d34db33f",
}
legacySuccessEndpoints = []string{
// Discovery
@ -54,6 +58,8 @@ var (
// Service account token endpoints.
"http://metadata.google.internal/0.1/meta-data/service-accounts/default/acquire",
"http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token",
// Known query params.
"http://metadata.google.internal/0.1/meta-data/service-accounts/default/acquire?scopes",
}
noKubeEnvEndpoints = []string{
// Check that these don't get a recursive result.
@ -72,10 +78,12 @@ var (
"http://metadata.google.internal/0.1/meta-data/service-accounts/default/identity",
"http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/identity",
"http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity",
// Recursive.
// Forbidden recursive queries.
"http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true",
"http://metadata.google.internal/computeMetadata/v1/instance/?something=other&recursive=true",
"http://metadata.google.internal/computeMetadata/v1/instance/?recursive=true&something=other",
"http://metadata.google.internal/computeMetadata/v1/instance/?%72%65%63%75%72%73%69%76%65=true", // url-encoded
// Unknown query param key.
"http://metadata.google.internal/computeMetadata/v1/instance/?something=else",
"http://metadata.google.internal/computeMetadata/v1/instance/?unknown",
// Other.
"http://metadata.google.internal/computeMetadata/v1/instance/attributes//kube-env",
"http://metadata.google.internal/computeMetadata/v1/instance/attributes/../attributes/kube-env",
@ -96,7 +104,7 @@ func main() {
}
}
for _, e := range noKubeEnvEndpoints {
if err := checkURL(e, h, 200, "", "kube-env"); err != nil {
if err := checkURL(e, h, 403, "", "kube-env"); err != nil {
log.Printf("Wrong response for %v: %v", e, err)
success = 1
}

2
test/utils/image/manifest.go
View File

@ -97,7 +97,7 @@ var (
APIServer = Config{e2eRegistry, "sample-apiserver", "1.10"}
AppArmorLoader = Config{e2eRegistry, "apparmor-loader", "1.0"}
BusyBox = Config{dockerLibraryRegistry, "busybox", "1.29"}
CheckMetadataConcealment = Config{e2eRegistry, "metadata-concealment", "1.1.1"}
CheckMetadataConcealment = Config{e2eRegistry, "metadata-concealment", "1.2"}
CudaVectorAdd = Config{e2eRegistry, "cuda-vector-add", "1.0"}
Dnsutils = Config{e2eRegistry, "dnsutils", "1.1"}
EchoServer = Config{e2eRegistry, "echoserver", "2.2"}