Affected by GO-2023-1583 and 3 other vulnerabilities

GO-2023-1583: User data in TPM attestation vulnerable to MITM in github.com/edgelesssys/constellation

GO-2023-1622: Constellation allows Emergency shell access during initramfs boot phase in github.com/edgelesssys/constellation

GO-2024-2727: Constellation has pods exposed to peers in VPC in github.com/edgelesssys/constellation

GO-2025-4076: Constellation has insecure LUKS2 persistent storage partitions which may be opened and used in github.com/edgelesssys/constellation

kubernetes

package

v2.2.1 Latest Latest Go to latest Published: Nov 14, 2022 License: AGPL-3.0 Imports: 28 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/edgelesssys/constellation

Links

Open Source Insights

Documentation ¶

Index ¶

type CloudControllerManager
type CloudNodeManager
type ClusterAutoscaler
type KubeWrapper
- func New(cloudProvider string, clusterUtil clusterUtil, ...) *KubeWrapper
type KubeconfigReader
- func (r KubeconfigReader) ReadKubeconfig() ([]byte, error)
type ProviderMetadata

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type CloudControllerManager ¶

type CloudControllerManager interface {
	// Image returns the container image used to provide cloud-controller-manager for the cloud-provider.
	Image(k8sVersion versions.ValidK8sVersion) (string, error)
	// Path returns the path used by cloud-controller-manager executable within the container image.
	Path() string
	// Name returns the cloud-provider name as used by k8s cloud-controller-manager (k8s.gcr.io/cloud-controller-manager).
	Name() string
	// ExtraArgs returns a list of arguments to append to the cloud-controller-manager command.
	ExtraArgs() []string
	// ConfigMaps returns a list of ConfigMaps to deploy together with the k8s cloud-controller-manager
	// Reference: https://kubernetes.io/docs/concepts/configuration/configmap/ .
	ConfigMaps() (kubernetes.ConfigMaps, error)
	// Secrets returns a list of secrets to deploy together with the k8s cloud-controller-manager.
	// Reference: https://kubernetes.io/docs/concepts/configuration/secret/ .
	Secrets(ctx context.Context, providerID, cloudServiceAccountURI string) (kubernetes.Secrets, error)
	// Volumes returns a list of volumes to deploy together with the k8s cloud-controller-manager.
	// Reference: https://kubernetes.io/docs/concepts/storage/volumes/ .
	Volumes() []k8s.Volume
	// VolumeMounts a list of of volume mounts to deploy together with the k8s cloud-controller-manager.
	VolumeMounts() []k8s.VolumeMount
	// Env returns a list of k8s environment key-value pairs to deploy together with the k8s cloud-controller-manager.
	Env() []k8s.EnvVar
	// Supported is used to determine if cloud controller manager is implemented for this cloud provider.
	Supported() bool
}

CloudControllerManager implementers provide configuration for the k8s cloud-controller-manager.

type CloudNodeManager ¶

type CloudNodeManager interface {
	// Image returns the container image used to provide cloud-node-manager for the cloud-provider.
	Image(k8sVersion versions.ValidK8sVersion) (string, error)
	// Path returns the path used by cloud-node-manager executable within the container image.
	Path() string
	// ExtraArgs returns a list of arguments to append to the cloud-node-manager command.
	ExtraArgs() []string
	// Supported is used to determine if cloud node manager is implemented for this cloud provider.
	Supported() bool
}

CloudNodeManager implementers provide configuration for the k8s cloud-node-manager.

type ClusterAutoscaler ¶

type ClusterAutoscaler interface {
	// Name returns the cloud-provider name as used by k8s cluster-autoscaler.
	Name() string
	// Secrets returns a list of secrets to deploy together with the k8s cluster-autoscaler.
	Secrets(providerID, cloudServiceAccountURI string) (kubernetes.Secrets, error)
	// Volumes returns a list of volumes to deploy together with the k8s cluster-autoscaler.
	Volumes() []k8s.Volume
	// VolumeMounts returns a list of volume mounts to deploy together with the k8s cluster-autoscaler.
	VolumeMounts() []k8s.VolumeMount
	// Env returns a list of k8s environment key-value pairs to deploy together with the k8s cluster-autoscaler.
	Env() []k8s.EnvVar
	// Supported is used to determine if cluster autoscaler is implemented for this cloud provider.
	Supported() bool
}

ClusterAutoscaler implementers provide configuration for the k8s cluster-autoscaler.

type KubeWrapper ¶

type KubeWrapper struct {
	// contains filtered or unexported fields
}

KubeWrapper implements Cluster interface.

func New ¶

func New(cloudProvider string, clusterUtil clusterUtil, configProvider configurationProvider, client k8sapi.Client, cloudControllerManager CloudControllerManager,
	providerMetadata ProviderMetadata, initialMeasurementsJSON []byte, helmClient helmClient, kubeAPIWaiter kubeAPIWaiter,
) *KubeWrapper

New creates a new KubeWrapper with real values.

func (*KubeWrapper) GetKubeconfig ¶

func (k *KubeWrapper) GetKubeconfig() ([]byte, error)

GetKubeconfig returns the current nodes kubeconfig of stored on disk.

func (*KubeWrapper) InitCluster ¶

func (k *KubeWrapper) InitCluster(
	ctx context.Context, cloudServiceAccountURI, versionString string, measurementSalt []byte, enforcedPCRs []uint32,
	enforceIDKeyDigest bool, idKeyDigest []byte, azureCVM bool, sshUsers map[string]string,
	helmReleasesRaw []byte, conformanceMode bool, log *logger.Logger,
) ([]byte, error)

InitCluster initializes a new Kubernetes cluster and applies pod network provider.

func (*KubeWrapper) JoinCluster ¶

func (k *KubeWrapper) JoinCluster(ctx context.Context, args *kubeadm.BootstrapTokenDiscovery, peerRole role.Role, versionString string, log *logger.Logger) error

JoinCluster joins existing Kubernetes cluster.

func (*KubeWrapper) StartKubelet ¶

func (k *KubeWrapper) StartKubelet(log *logger.Logger) error

StartKubelet starts the kubelet service.

type KubeconfigReader ¶

type KubeconfigReader struct {
	// contains filtered or unexported fields
}

KubeconfigReader implements ConfigReader.

func (KubeconfigReader) ReadKubeconfig ¶

func (r KubeconfigReader) ReadKubeconfig() ([]byte, error)

ReadKubeconfig reads the Kubeconfig from disk.

type ProviderMetadata ¶

type ProviderMetadata interface {
	// UID returns the unique identifier for the constellation.
	UID(ctx context.Context) (string, error)
	// List retrieves all instances belonging to the current Constellation.
	List(ctx context.Context) ([]metadata.InstanceMetadata, error)
	// Self retrieves the current instance.
	Self(ctx context.Context) (metadata.InstanceMetadata, error)
	// GetLoadBalancerEndpoint retrieves the load balancer endpoint.
	GetLoadBalancerEndpoint(ctx context.Context) (string, error)
	// GetInstance retrieves an instance using its providerID.
	GetInstance(ctx context.Context, providerID string) (metadata.InstanceMetadata, error)
	// Supported is used to determine if metadata API is implemented for this cloud provider.
	Supported() bool
}

ProviderMetadata implementers read/write cloud provider metadata.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
k8sapi
kubectl
kubectl/client
resources
kubeWaiter

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL