Commit Graph

1135 Commits

Author SHA1 Message Date
Brad Davidson
239021e759 Consistently use constant-time comparison of password hashes
As per https://github.com/golang/go/issues/47001 even subtle.ConstantTimeCompare should never be used with variable-length inputs, as it will return 0 if the lengths do not match. Switch to consistently using constant-time comparisons of hashes for password checks to avoid any possible side-channel leaks that could be combined with other vectors to discover password lengths.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-09 13:54:50 -07:00
Derek Nola
c6dc789e25
Add support for -cover + integration test code coverage (#7415)
* Add support for -cover in k3s server
* Update codecov reporting
* Sigterm in StopK3sServer
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-05-08 12:46:51 -07:00
Brad Davidson
cf9ebb3259 Fail to validate server tokens that use bootstrap id/secret format
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-05 12:24:35 -07:00
Manuel Buil
eb83af0de4
Merge pull request #7422 from manuelbuil/modify-utils
Migrate netutil methods into /util/net.go
2023-05-05 07:17:41 +02:00
Brad Davidson
cedefeff24 Bump cni plugins to v1.2.0-k3s1
Also add bandwidth and firewall plugins. The bandwidth plugin is
automatically registered with the appropriate capability, but the
firewall plugin must be configured by the user if they want to use it.

Ref: https://www.cni.dev/plugins/current/meta/firewall/

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-04 13:58:42 -07:00
Boleyn Su
a736b4b1b9
local-storage: Fix permission (#7217)
* local-storage: Fix permission

/var/lib/rancher/k3s/storage/ should be 700
/var/lib/rancher/k3s/storage/* should be 777

Fixes #2348

Signed-off-by: Boleyn Su <boleyn.su@gmail.com>

* Fix pod command field type

* Fix to int test

Signed-off-by: Derek Nola <derek.nola@suse.com>

---------

Signed-off-by: Boleyn Su <boleyn.su@gmail.com>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Brad Davidson <brad@oatmail.org>
Co-authored-by: Derek Nola <derek.nola@suse.com>
2023-05-04 10:43:54 -07:00
Manuel Buil
437ad128c7 Migrate netutil methods into /utils/net.go
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-05-04 16:49:16 +02:00
Derek Nola
e1d4cff14c
Enable FindString to search dotD config files (#7323)
* Enable FindString to search dotD config files
* Address multiple arg cases

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-05-02 11:18:23 -07:00
Derek Nola
d5f560360e
Handle multiple arguments with StringSlice flags (#7380)
* Add helper function for multiple arguments in stringslice

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Cleanup server setup with util function

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-05-02 09:55:48 -07:00
Brad Davidson
e61fde93c1 Fix MemberList error handling and incorrect etcd-arg passthrough
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 22:04:30 -07:00
Brad Davidson
91afb38799 Retry cluster join on "too many learners" error
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 11:28:33 -07:00
Brad Davidson
f1b6a3549c Fix stack log on panic
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 11:24:34 -07:00
Brad Davidson
c44d33d29b Fix race condition in tunnel server startup
Several places in the code used a 5-second retry loop to wait on
Runtime.Core to be set. This caused a race condition where OnChange
handlers could be added after the Wrangler shared informers were already
started. When this happened, the handlers were never called because the
shared informers they relied upon were not started.

Fix that by requiring anything that waits on Runtime.Core to run from a
cluster controller startup hook that is guaranteed to be called before
the shared informers are started, instead of just firing it off in a
goroutine that retries until it is set.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 11:24:34 -07:00
Brad Davidson
31a6386994 Improve egress selector handling on agentless servers
Don't set up the agent tunnel authorizer on agentless servers, and warn when agentless servers won't have a way to reach in-cluster endpoints.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 11:24:34 -07:00
Brad Davidson
0247794aa9 go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 11:13:47 -07:00
Brad Davidson
ad41fb8c96 Create CRDs with schema
Fixes an issue where CRDs were being created without schema, allowing
resources with invalid content to be created, later stalling the
controller ListWatch event channel when the invalid resources could not
be deserialized.

This also requires moving Addon GVK tracking from a status field to
an annotation, as the GroupVersionKind type has special handling
internal to Kubernetes that prevents it from being serialized to the CRD
when schema validation is enabled.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-27 20:42:46 -07:00
Derek Nola
bc5b42c279
Cleanup help messages (#7369)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-04-27 13:36:11 -07:00
Derek Nola
944f811dc5
v1.27.1 CLI Deprecation (#7311)
* Remove Flannel Wireguard
* Remove etcd-snapshot (implicit save)
* Convert ipsec and multiple backend to fatal

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-04-19 12:02:05 -07:00
Derek Nola
f2bde63eea
Kubernetes v1.27.1 (#7271)
* Bump go version to 1.20.3 to match upstream
* Bump cri-dockerd
* Bump golanci-lint
* go generate
* Bump selinux in cgroup test
* Bump to v1.27.1 tags
* Release documentation improvements
* Only run upgrade e2e test on PR

Signed-off-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-18 21:48:36 -07:00
Hussein Galal
30638072c9
Update klipper lb to v0.4.2 (#7210)
* Update klipper lb to v0.4.2

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Update klipper lb to v0.4.3

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Update klipper lb to v0.4.3 in airgap list

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

---------

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2023-04-06 19:02:00 +02:00
Roberto Bonafiglia
3e3512bdae Updated kube-route version to move the iptables ACCEPT default rule at the end of the chain
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-04-06 09:55:34 +02:00
Brad Davidson
d95980bba3 Lock bootstrap data with empty key to prevent conflicts
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-05 10:56:57 -07:00
Brad Davidson
2992477c4b Debounce kubernetes service endpoint updates
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-04 12:02:22 -07:00
Brad Davidson
ece4d8e45c Fix tests to not hide failure location in dummp assert functions
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-04 12:02:22 -07:00
Brad Davidson
e54ceaa497 Fix issue with stale connections to removed LB server
Track LB connections through each server so that they can be closed when it is removed.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-04 12:02:22 -07:00
Brad Davidson
d388b82d25 go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-03 19:47:06 -07:00
Brad Davidson
b010db0cff Ensure that loopback is used for the advertised address when resetting
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-03 17:01:43 -07:00
Brad Davidson
cee3ddbc4a
Bump Local Path Provisioner version (#7167)
* chore: Bump Local Path Provisioner version
* go generate

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2023-04-03 16:00:16 -07:00
Roberto Bonafiglia
15ee88964b Added multiClusterCidr feature
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-03-14 18:30:52 +01:00
Daniel Mills
822ee79eb8
Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970)
* Remove deprecated nodeSelector label beta.kubernetes.io/os

Problem:
The nodeSelector label beta.kubernetes.io/os in the CoreDNS deployment was deprecated in 1.14 and will likely be removed soon

Solution:
Change the nodeSelector to remove the beta

Signed-off-by: Dan Mills <evilhamsterman@gmail.com>
2023-03-14 12:56:40 -04:00
Brad Davidson
977a85559e Add support for cross-signing new certs during ca rotation
We need to send the full chain in order for cross-signing to work
properly during switchover to a new root.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-03-13 16:56:28 -07:00
Daishan Peng
b7f90f389c
Wait for kubelet port to be ready before setting (#7041)
* Wait for kubelet port to be ready before setting
* Wait for kubelet to update the Ready status before reading port

Signed-off-by: Daishan Peng <daishan@acorn.io>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
2023-03-13 13:48:02 -07:00
Derek Nola
d218068f34
Adds a warning about editing to the containerd config.toml file (#7057)
* Add a warning to the config.toml file

Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Brad Davidson <brad@oatmail.org>
2023-03-13 13:42:17 -07:00
Roberto Bonafiglia
e098b99bfa
Update flannel and kube-router (#7039)
* Update kube-router version to fix iptables rules

Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>

* Update Flannel to v0.21.3

Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>

---------

Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-03-10 19:57:16 -08:00
Brad Davidson
cbe4bcfeee Add test for filterByIPFamily
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-21 14:13:22 -08:00
Brad Davidson
cc333d8d0c Fix ServiceLB dual-stack ingress IP listing
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-21 14:13:22 -08:00
Brad Davidson
23d98cec22 Fix CACertPath stripping trailing path components
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-14 09:39:41 -08:00
Brad Davidson
0c302f4341 Fix etcd member deletion
Turns out etcd-only nodes were never running **any** of the controllers,
so allowing multiple controllers didn't really fix things.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-14 09:39:41 -08:00
Roberto Bonafiglia
b8e69712a3 Updated flannel version to v0.21.0
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-02-10 23:03:10 +01:00
Brad Davidson
3d146d2f1b Allow for multiple sets of leader-elected controllers
Addresses an issue where etcd controllers did not run on etcd-only nodes

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-10 10:46:48 -08:00
Paul Donohue
290d7e8fd1 Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent
Signed-off-by: Paul Donohue <git@PaulSD.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-10 09:43:34 -08:00
Brad Davidson
ddcc4d4034 go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-09 15:20:49 -08:00
Brad Davidson
c6d0afd0cb Check for existing resources before creating them
Prevents errors when starting with fail-closed webhooks

Also, use panic instead of Fatalf so that the CloudControllerManager rescue can handle the error

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-09 15:20:49 -08:00
Brad Davidson
32d62c5786 Use default address family when adding kubernetes service address to SAN list
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-09 15:17:21 -08:00
Byron Ruth
a92f163c9d
Add NATS to the list of supported data stores (#6876)
Signed-off-by: Byron Ruth <byron@nats.io>
2023-02-08 09:37:23 -08:00
Brad Davidson
87f9c4ab11 Ensure that node exists when using node auth
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-07 14:55:04 -08:00
Brad Davidson
992e64993d Add support for kubeadm token and client certificate auth
Allow bootstrapping with kubeadm bootstrap token strings or existing
Kubelet certs. This allows agents to join the cluster using kubeadm
bootstrap tokens, as created with the `k3s token create` command.

When the token expires or is deleted, agents can successfully restart by
authenticating with their kubelet certificate via node authentication.
If the token is gone and the node is deleted from the cluster, node auth
will fail and they will be prevented from rejoining the cluster until
provided with a valid token.

Servers still must be bootstrapped with the static cluster token, as
they will need to know it to decrypt the bootstrap data.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-07 14:55:04 -08:00
Brad Davidson
373df1c8b0 Add support for k3s token command
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-07 14:55:04 -08:00
Derek Nola
7d49202721
Ignore value conflicts when reencrypting secrets (#6850)
* Ignore conflict secrets

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-02-07 13:58:44 -08:00
Brad Davidson
215fb157ff Add certificate rotate-ca to write updated CA certs to datastore
This command must be run on a server while the service is running. After this command completes, all the servers in the cluster should be restarted to load the new CA files.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-06 15:09:31 -08:00