Affected by GO-2025-3696 and 1 other vulnerabilities

GO-2025-3696: Gardener allows bypassing project secret validation which can lead to privilege escalation in github.com/gardener/gardener

GO-2025-3698: Gardener allows metadata injection for a project secret which can lead to privilege escalation in github.com/gardener/gardener

rotation

package

v1.76.0 Latest Latest Go to latest Published: Jul 28, 2023 License: Apache-2.0, BSD-2-Clause, MIT, + 1 more Imports: 16 Imported by: 4

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/gardener/gardener

Links

Documentation ¶

Index ¶

type AgeSorter
type ETCDEncryptionKeyVerifier
type SecretConfigNamesToSecrets
- func GroupByName(allSecrets []corev1.Secret) SecretConfigNamesToSecrets
type SecretEncryptionVerifier
type ServiceAccountKeyVerifier
type Verifier
type Verifiers

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type AgeSorter ¶

type AgeSorter []corev1.Secret

AgeSorter implements sort.Interface for a slice of secrets for sorting by age.

func (AgeSorter) Len ¶

func (x AgeSorter) Len() int

func (AgeSorter) Less ¶

func (x AgeSorter) Less(i, j int) bool

func (AgeSorter) Swap ¶

func (x AgeSorter) Swap(i, j int)

type ETCDEncryptionKeyVerifier ¶ added in v1.68.0

type ETCDEncryptionKeyVerifier struct {
	RuntimeClient                client.Client
	Namespace                    string
	SecretsManagerLabelSelector  client.MatchingLabels
	GetETCDEncryptionKeyRotation func() *gardencorev1beta1.ETCDEncryptionKeyRotation
	// contains filtered or unexported fields
}

ETCDEncryptionKeyVerifier verifies the etcd encryption key rotation.

func (*ETCDEncryptionKeyVerifier) AfterCompleted ¶ added in v1.68.0

func (v *ETCDEncryptionKeyVerifier) AfterCompleted(ctx context.Context)

AfterCompleted is called when the Shoot is in Completed status.

func (*ETCDEncryptionKeyVerifier) AfterPrepared ¶ added in v1.68.0

func (v *ETCDEncryptionKeyVerifier) AfterPrepared(ctx context.Context)

AfterPrepared is called when the Shoot is in Prepared status.

func (*ETCDEncryptionKeyVerifier) Before ¶ added in v1.68.0

func (v *ETCDEncryptionKeyVerifier) Before(ctx context.Context)

Before is called before the rotation is started.

func (*ETCDEncryptionKeyVerifier) ExpectCompletingStatus ¶ added in v1.68.0

func (v *ETCDEncryptionKeyVerifier) ExpectCompletingStatus(g Gomega)

ExpectCompletingStatus is called while waiting for the Completing status.

func (*ETCDEncryptionKeyVerifier) ExpectPreparingStatus ¶ added in v1.68.0

func (v *ETCDEncryptionKeyVerifier) ExpectPreparingStatus(g Gomega)

ExpectPreparingStatus is called while waiting for the Preparing status.

type SecretConfigNamesToSecrets ¶

type SecretConfigNamesToSecrets map[string][]corev1.Secret

SecretConfigNamesToSecrets is a map for secret config names to a list of corev1.Secret objects.

func GroupByName ¶

func GroupByName(allSecrets []corev1.Secret) SecretConfigNamesToSecrets

GroupByName groups all secrets by name.

type SecretEncryptionVerifier ¶ added in v1.68.0

type SecretEncryptionVerifier struct {
	NewTargetClientFunc func() (kubernetes.Interface, error)
}

SecretEncryptionVerifier creates and reads secrets in the cluster to verify correct configuration of etcd encryption.

func (*SecretEncryptionVerifier) AfterCompleted ¶ added in v1.68.0

func (v *SecretEncryptionVerifier) AfterCompleted(ctx context.Context)

AfterCompleted is called when the Shoot is in Completed status.

func (*SecretEncryptionVerifier) AfterPrepared ¶ added in v1.68.0

func (v *SecretEncryptionVerifier) AfterPrepared(ctx context.Context)

AfterPrepared is called when the Shoot is in Prepared status.

func (*SecretEncryptionVerifier) Before ¶ added in v1.68.0

func (v *SecretEncryptionVerifier) Before(ctx context.Context)

Before is called before the rotation is started.

func (*SecretEncryptionVerifier) ExpectCompletingStatus ¶ added in v1.68.0

func (v *SecretEncryptionVerifier) ExpectCompletingStatus(g Gomega)

ExpectCompletingStatus is called while waiting for the Completing status.

func (*SecretEncryptionVerifier) ExpectPreparingStatus ¶ added in v1.68.0

func (v *SecretEncryptionVerifier) ExpectPreparingStatus(g Gomega)

ExpectPreparingStatus is called while waiting for the Preparing status.

type ServiceAccountKeyVerifier ¶ added in v1.68.0

type ServiceAccountKeyVerifier struct {
	RuntimeClient                client.Client
	Namespace                    string
	SecretsManagerLabelSelector  client.MatchingLabels
	GetServiceAccountKeyRotation func() *gardencorev1beta1.ServiceAccountKeyRotation
	// contains filtered or unexported fields
}

ServiceAccountKeyVerifier verifies the service account key rotation.

func (*ServiceAccountKeyVerifier) AfterCompleted ¶ added in v1.68.0

func (v *ServiceAccountKeyVerifier) AfterCompleted(ctx context.Context)

AfterCompleted is called when the Shoot is in Completed status.

func (*ServiceAccountKeyVerifier) AfterPrepared ¶ added in v1.68.0

func (v *ServiceAccountKeyVerifier) AfterPrepared(ctx context.Context)

AfterPrepared is called when the Shoot is in Prepared status.

func (*ServiceAccountKeyVerifier) Before ¶ added in v1.68.0

func (v *ServiceAccountKeyVerifier) Before(ctx context.Context)

Before is called before the rotation is started.

func (*ServiceAccountKeyVerifier) ExpectCompletingStatus ¶ added in v1.68.0

func (v *ServiceAccountKeyVerifier) ExpectCompletingStatus(g Gomega)

ExpectCompletingStatus is called while waiting for the Completing status.

func (*ServiceAccountKeyVerifier) ExpectPreparingStatus ¶ added in v1.68.0

func (v *ServiceAccountKeyVerifier) ExpectPreparingStatus(g Gomega)

ExpectPreparingStatus is called while waiting for the Preparing status.

type Verifier ¶

type Verifier interface {
	// Before is called before the rotation is started.
	Before(ctx context.Context)
	// ExpectPreparingStatus is called while waiting for the Preparing status.
	ExpectPreparingStatus(g Gomega)
	// AfterPrepared is called when the Shoot is in Prepared status.
	AfterPrepared(ctx context.Context)
	// ExpectCompletingStatus is called while waiting for the Completing status.
	ExpectCompletingStatus(g Gomega)
	// AfterCompleted is called when the Shoot is in Completed status.
	AfterCompleted(ctx context.Context)
}

Verifier does some assertions in different phases of the credentials rotation test.

type Verifiers ¶

type Verifiers []Verifier

Verifiers combines multiple Verifier instances and calls them sequentially

func (Verifiers) AfterCompleted ¶

func (v Verifiers) AfterCompleted(ctx context.Context)

AfterCompleted is called when the Shoot is in Completed status.

func (Verifiers) AfterPrepared ¶

func (v Verifiers) AfterPrepared(ctx context.Context)

AfterPrepared is called when the Shoot is in Prepared status.

func (Verifiers) Before ¶

func (v Verifiers) Before(ctx context.Context)

Before is called before the rotation is started.

func (Verifiers) Cleanup ¶

func (v Verifiers) Cleanup(ctx context.Context)

Cleanup is passed to ginkgo.DeferCleanup.

func (Verifiers) ExpectCompletingStatus ¶

func (v Verifiers) ExpectCompletingStatus(g Gomega)

ExpectCompletingStatus is called while waiting for the Completing status.

func (Verifiers) ExpectPreparingStatus ¶

func (v Verifiers) ExpectPreparingStatus(g Gomega)

ExpectPreparingStatus is called while waiting for the Preparing status.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL