Only actual admin actions should use the admin kubeconfig; everything done by the supervisor/deploy/helm controllers will now use a distinct account for audit purposes.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Add el9 to the install script
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Add rocky-9 install test to test el9 selinux
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Add rocky-9 install test to test el9 selinux to workflow
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Use el8 for fedora 37
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Add a warning to reboot in coreos systems
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* remove k3s-selinux module in case of upgrade in el9
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Check for available container-selinux and k3s-selinux
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* extend selinux upgrade to sle distros
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* create /var/lib/rpm-state in sle systems
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* nit fix
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* extend selinux upgrade to sle distros
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
---------
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Add el9 to the install script
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Add rocky-9 install test to test el9 selinux
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Add rocky-9 install test to test el9 selinux to workflow
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Use el8 for fedora 37
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Add a warning to reboot in coreos systems
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* remove k3s-selinux module in case of upgrade in el9
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Check for available container-selinux and k3s-selinux
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* extend selinux upgrade to sle distros
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* create /var/lib/rpm-state in sle systems
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* nit fix
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
---------
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
Fix regression in legacy API prefix, until upstream pulls in support for MergePathStrategy from https://github.com/emicklei/go-restful/pull/523
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
As per https://github.com/golang/go/issues/47001 even subtle.ConstantTimeCompare should never be used with variable-length inputs, as it will return 0 if the lengths do not match. Switch to consistently using constant-time comparisons of hashes for password checks to avoid any possible side-channel leaks that could be combined with other vectors to discover password lengths.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
This commit adds SearchK3sLog function to find specific strings in integration tests log file and also removes FindStringInCmdAsync function since it was not being used.
Signed-off-by: Ian Cardoso <osodracnai@gmail.com>
Also add bandwidth and firewall plugins. The bandwidth plugin is
automatically registered with the appropriate capability, but the
firewall plugin must be configured by the user if they want to use it.
Ref: https://www.cni.dev/plugins/current/meta/firewall/
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* local-storage: Fix permission
/var/lib/rancher/k3s/storage/ should be 700
/var/lib/rancher/k3s/storage/* should be 777
Fixes#2348
Signed-off-by: Boleyn Su <boleyn.su@gmail.com>
* Fix pod command field type
* Fix to int test
Signed-off-by: Derek Nola <derek.nola@suse.com>
---------
Signed-off-by: Boleyn Su <boleyn.su@gmail.com>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Brad Davidson <brad@oatmail.org>
Co-authored-by: Derek Nola <derek.nola@suse.com>
* Add helper function for multiple arguments in stringslice
Signed-off-by: Derek Nola <derek.nola@suse.com>
* Cleanup server setup with util function
Signed-off-by: Derek Nola <derek.nola@suse.com>
Several places in the code used a 5-second retry loop to wait on
Runtime.Core to be set. This caused a race condition where OnChange
handlers could be added after the Wrangler shared informers were already
started. When this happened, the handlers were never called because the
shared informers they relied upon were not started.
Fix that by requiring anything that waits on Runtime.Core to run from a
cluster controller startup hook that is guaranteed to be called before
the shared informers are started, instead of just firing it off in a
goroutine that retries until it is set.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Don't set up the agent tunnel authorizer on agentless servers, and warn when agentless servers won't have a way to reach in-cluster endpoints.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
