diff --git a/go.mod b/go.mod index befe9e3187..8946abe765 100644 --- a/go.mod +++ b/go.mod @@ -20,11 +20,11 @@ require ( k8s.io/cli-runtime v0.25.2 k8s.io/client-go v0.25.4 k8s.io/code-generator v0.25.4 - knative.dev/eventing v0.35.1-0.20230120082502-7e899fd166de + knative.dev/eventing v0.36.0 knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9 knative.dev/networking v0.0.0-20230123233838-db2bcbea2560 knative.dev/pkg v0.0.0-20230117181655-247510c00e9d - knative.dev/serving v0.35.1-0.20230123204038-897b61aaa91a + knative.dev/serving v0.36.0 sigs.k8s.io/yaml v1.3.0 ) diff --git a/go.sum b/go.sum index d3634bf6fc..a1032933ef 100644 --- a/go.sum +++ b/go.sum @@ -1086,16 +1086,16 @@ k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkI k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU= k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8= k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/eventing v0.35.1-0.20230120082502-7e899fd166de h1:mTwmkYvaPsDCxzQaSjT9BKcf4BQ1zcFSkTIFVGHww3Y= -knative.dev/eventing v0.35.1-0.20230120082502-7e899fd166de/go.mod h1:PqYrXKXhZU7rQaS5TQuZDSOd9jPX7AegF8uNNUY4kcU= +knative.dev/eventing v0.36.0 h1:a7kamc2S+LcpNMDX3llnwZm+DqMcYSXgKIgJXdaQQSY= +knative.dev/eventing v0.36.0/go.mod h1:Qka5Z6+LeMoHGL1QAznVdmq5LAu21b4F3rgxc2AMgRg= knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9 h1:CDa7s9KspEZqPhk7cN68ZypRLuAvSgr+knoOaXSsrHk= knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= knative.dev/networking v0.0.0-20230123233838-db2bcbea2560 h1:iprdS5tKTXtgV9dGryuwJJJTTdl5LusCHOelKdezR3I= knative.dev/networking v0.0.0-20230123233838-db2bcbea2560/go.mod h1:rn1yRurhkxmSFkpqs/YdG7b9DiYj0VlmLFzBdOQjpOo= knative.dev/pkg v0.0.0-20230117181655-247510c00e9d h1:pjKDcvHoMib8nRp56eISRmMj/pFMzJljnzvMvGCIReI= knative.dev/pkg v0.0.0-20230117181655-247510c00e9d/go.mod h1:VO/fcEsq43seuONRQxZyftWHjpMabYzRHDtpSEQ/eoQ= -knative.dev/serving v0.35.1-0.20230123204038-897b61aaa91a h1:EFgNwvcbmiswVuE+TNYl+UiiVM4Q+5FHvsKfpiJNWkI= -knative.dev/serving v0.35.1-0.20230123204038-897b61aaa91a/go.mod h1:WdVK1b42aahKc8WewW5YLPjp46QK4+D8R9lq3PNuRYg= +knative.dev/serving v0.36.0 h1:RSYDjxhzOx5rnlW9tNPcBPyJyNuOcZuYEMdKDR1r04k= +knative.dev/serving v0.36.0/go.mod h1:ueqMvTqzZE0GFfPqSsc+ZjX20Z8XxCuX86+S+TI7B3A= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/vendor/knative.dev/eventing/pkg/apis/sources/v1/apiserver_types.go b/vendor/knative.dev/eventing/pkg/apis/sources/v1/apiserver_types.go index b70516d49f..cfe41a956b 100644 --- a/vendor/knative.dev/eventing/pkg/apis/sources/v1/apiserver_types.go +++ b/vendor/knative.dev/eventing/pkg/apis/sources/v1/apiserver_types.go @@ -80,6 +80,11 @@ type ApiServerSourceSpec struct { // source. Defaults to default if not set. // +optional ServiceAccountName string `json:"serviceAccountName,omitempty"` + + // NamespaceSelector is a label selector to capture the namespaces that + // should be watched by the source. + // +optional + NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"` } // ApiServerSourceStatus defines the observed state of ApiServerSource @@ -92,6 +97,9 @@ type ApiServerSourceStatus struct { // * SinkURI - the current active sink URI that has been configured for the // Source. duckv1.SourceStatus `json:",inline"` + + // Namespaces show the namespaces currently watched by the ApiServerSource + Namespaces []string `json:"namespaces"` } // APIVersionKind is an APIVersion and Kind tuple. diff --git a/vendor/knative.dev/eventing/pkg/apis/sources/v1/zz_generated.deepcopy.go b/vendor/knative.dev/eventing/pkg/apis/sources/v1/zz_generated.deepcopy.go index fd7b8b7177..551322eab4 100644 --- a/vendor/knative.dev/eventing/pkg/apis/sources/v1/zz_generated.deepcopy.go +++ b/vendor/knative.dev/eventing/pkg/apis/sources/v1/zz_generated.deepcopy.go @@ -140,6 +140,11 @@ func (in *ApiServerSourceSpec) DeepCopyInto(out *ApiServerSourceSpec) { *out = new(APIVersionKind) **out = **in } + if in.NamespaceSelector != nil { + in, out := &in.NamespaceSelector, &out.NamespaceSelector + *out = new(metav1.LabelSelector) + (*in).DeepCopyInto(*out) + } return } @@ -157,6 +162,11 @@ func (in *ApiServerSourceSpec) DeepCopy() *ApiServerSourceSpec { func (in *ApiServerSourceStatus) DeepCopyInto(out *ApiServerSourceStatus) { *out = *in in.SourceStatus.DeepCopyInto(&out.SourceStatus) + if in.Namespaces != nil { + in, out := &in.Namespaces, &out.Namespaces + *out = make([]string, len(*in)) + copy(*out, *in) + } return } diff --git a/vendor/knative.dev/serving/pkg/apis/config/features.go b/vendor/knative.dev/serving/pkg/apis/config/features.go index 90bad722cd..655188ec4f 100644 --- a/vendor/knative.dev/serving/pkg/apis/config/features.go +++ b/vendor/knative.dev/serving/pkg/apis/config/features.go @@ -70,6 +70,7 @@ func defaultFeaturesConfig() *Features { PodSpecInitContainers: Disabled, PodSpecDNSPolicy: Disabled, PodSpecDNSConfig: Disabled, + SecurePodDefaults: Disabled, TagHeaderBasedRouting: Disabled, AutoDetectHTTP2: Disabled, } @@ -99,6 +100,7 @@ func NewFeaturesConfigFromMap(data map[string]string) (*Features, error) { asFlag("kubernetes.podspec-persistent-volume-write", &nc.PodSpecPersistentVolumeWrite), asFlag("kubernetes.podspec-dnspolicy", &nc.PodSpecDNSPolicy), asFlag("kubernetes.podspec-dnsconfig", &nc.PodSpecDNSConfig), + asFlag("secure-pod-defaults", &nc.SecurePodDefaults), asFlag("tag-header-based-routing", &nc.TagHeaderBasedRouting), asFlag("queueproxy.mount-podinfo", &nc.QueueProxyMountPodInfo), asFlag("autodetect-http2", &nc.AutoDetectHTTP2)); err != nil { @@ -134,6 +136,7 @@ type Features struct { QueueProxyMountPodInfo Flag PodSpecDNSPolicy Flag PodSpecDNSConfig Flag + SecurePodDefaults Flag TagHeaderBasedRouting Flag AutoDetectHTTP2 Flag } diff --git a/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go b/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go index ab8724b49f..cc59b95f38 100644 --- a/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go +++ b/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go @@ -208,6 +208,9 @@ func PodSpecMask(ctx context.Context, in *corev1.PodSpec) *corev1.PodSpec { } if cfg.Features.PodSpecSecurityContext != config.Disabled { out.SecurityContext = in.SecurityContext + } else if cfg.Features.SecurePodDefaults != config.Disabled { + // This is further validated in ValidatePodSecurityContext. + out.SecurityContext = in.SecurityContext } if cfg.Features.PodSpecPriorityClassName != config.Disabled { out.PriorityClassName = in.PriorityClassName @@ -591,6 +594,19 @@ func PodSecurityContextMask(ctx context.Context, in *corev1.PodSecurityContext) out := new(corev1.PodSecurityContext) + if config.FromContextOrDefaults(ctx).Features.SecurePodDefaults == config.Enabled { + // Allow to opt out of more-secure defaults if SecurePodDefaults is enabled. + // This aligns with defaultSecurityContext in revision_defaults.go. + if in.SeccompProfile != nil { + seccomp := in.SeccompProfile.Type + if seccomp == corev1.SeccompProfileTypeRuntimeDefault || seccomp == corev1.SeccompProfileTypeUnconfined { + out.SeccompProfile = &corev1.SeccompProfile{ + Type: seccomp, + } + } + } + } + if config.FromContextOrDefaults(ctx).Features.PodSpecSecurityContext == config.Disabled { return out } diff --git a/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_defaults.go b/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_defaults.go index 354b12d89d..8acbf3446f 100644 --- a/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_defaults.go +++ b/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_defaults.go @@ -72,6 +72,10 @@ func (rs *RevisionSpec) SetDefaults(ctx context.Context) { applyDefaultContainerNames(rs.PodSpec.InitContainers, containerNames, defaultInitContainerName) for idx := range rs.PodSpec.Containers { rs.applyDefault(ctx, &rs.PodSpec.Containers[idx], cfg) + rs.defaultSecurityContext(rs.PodSpec.SecurityContext, &rs.PodSpec.Containers[idx], cfg) + } + for idx := range rs.PodSpec.InitContainers { + rs.defaultSecurityContext(rs.PodSpec.SecurityContext, &rs.PodSpec.InitContainers[idx], cfg) } } @@ -158,6 +162,57 @@ func (*RevisionSpec) applyProbes(container *corev1.Container) { } } +// Upgrade SecurityContext for this container and the Pod definition to use settings +// for the `restricted` profile when the feature flag is enabled. +// This does not currently set `runAsNonRoot` for the restricted profile, because +// that feels harder to default safely. +func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, container *corev1.Container, cfg *config.Config) { + if cfg.Features.SecurePodDefaults != config.Enabled { + return + } + + if psc == nil { + psc = &corev1.PodSecurityContext{} + } + + updatedSC := container.SecurityContext + + if updatedSC == nil { + updatedSC = &corev1.SecurityContext{} + } + + if updatedSC.AllowPrivilegeEscalation == nil { + updatedSC.AllowPrivilegeEscalation = ptr.Bool(false) + } + if psc.SeccompProfile == nil || psc.SeccompProfile.Type == "" { + if updatedSC.SeccompProfile == nil { + updatedSC.SeccompProfile = &corev1.SeccompProfile{} + } + if updatedSC.SeccompProfile.Type == "" { + updatedSC.SeccompProfile.Type = corev1.SeccompProfileTypeRuntimeDefault + } + } + if updatedSC.Capabilities == nil { + updatedSC.Capabilities = &corev1.Capabilities{} + updatedSC.Capabilities.Drop = []corev1.Capability{"ALL"} + // Default in NET_BIND_SERVICE to allow binding to low-numbered ports. + needsLowPort := false + for _, p := range container.Ports { + if p.ContainerPort < 1024 { + needsLowPort = true + break + } + } + if updatedSC.Capabilities.Add == nil && needsLowPort { + updatedSC.Capabilities.Add = []corev1.Capability{"NET_BIND_SERVICE"} + } + } + + if *updatedSC != (corev1.SecurityContext{}) { + container.SecurityContext = updatedSC + } +} + func applyDefaultContainerNames(containers []corev1.Container, containerNames sets.String, defaultContainerName string) { // Default container name based on ContainerNameFromTemplate value from configmap. // In multi-container or init-container mode, add a numeric suffix, avoiding clashes with user-supplied names. diff --git a/vendor/knative.dev/serving/test/e2e-tests.sh b/vendor/knative.dev/serving/test/e2e-tests.sh index ad0f7fde67..dc4a02ffea 100644 --- a/vendor/knative.dev/serving/test/e2e-tests.sh +++ b/vendor/knative.dev/serving/test/e2e-tests.sh @@ -126,6 +126,11 @@ toggle_feature kubernetes.podspec-securitycontext Disabled toggle_feature kubernetes.podspec-persistent-volume-write Disabled toggle_feature kubernetes.podspec-persistent-volume-claim Disabled +# RUN secure pod defaults test in a separate install. +toggle_feature secure-pod-defaults Enabled +go_test_e2e -timeout=3m ./test/e2e/securedefaults ${TEST_OPTIONS} || failed=1 +toggle_feature secure-pod-defaults Disabled + # Run HA tests separately as they're stopping core Knative Serving pods. # Define short -spoofinterval to ensure frequent probing while stopping pods. toggle_feature autocreateClusterDomainClaims true config-network || fail_test diff --git a/vendor/modules.txt b/vendor/modules.txt index 3e42120d6a..31d8e53d94 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -917,7 +917,7 @@ k8s.io/utils/net k8s.io/utils/pointer k8s.io/utils/strings/slices k8s.io/utils/trace -# knative.dev/eventing v0.35.1-0.20230120082502-7e899fd166de +# knative.dev/eventing v0.36.0 ## explicit; go 1.18 knative.dev/eventing/pkg/apis/config knative.dev/eventing/pkg/apis/duck @@ -1013,7 +1013,7 @@ knative.dev/pkg/tracing/config knative.dev/pkg/tracing/propagation knative.dev/pkg/tracing/propagation/tracecontextb3 knative.dev/pkg/tracker -# knative.dev/serving v0.35.1-0.20230123204038-897b61aaa91a +# knative.dev/serving v0.36.0 ## explicit; go 1.18 knative.dev/serving/pkg/apis/autoscaling knative.dev/serving/pkg/apis/autoscaling/v1alpha1