Affected by GO-2022-0617 and 24 other vulnerabilities

GO-2022-0617: WITHDRAWN: Potential proxy IP restriction bypass in Kubernetes in k8s.io/kubernetes

GO-2022-0703: XML Entity Expansion and Improper Input Validation in Kubernetes API server in k8s.io/kubernetes

GO-2022-0802: Kubernetes kubectl cp Vulnerable to Symlink Attack in k8s.io/kubernetes

GO-2022-0867: Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes in k8s.io/kubernetes

GO-2022-0885: Improper Authentication in Kubernetes in k8s.io/kubernetes

GO-2022-0890: Server Side Request Forgery (SSRF) in Kubernetes in k8s.io/kubernetes

GO-2022-0907: Access Restriction Bypass in kube-apiserver in k8s.io/kubernetes

GO-2022-0910: Files or Directories Accessible to External Parties in kubernetes in k8s.io/kubernetes

GO-2022-0983: ANSI escape characters not filtered in kubectl in k8s.io/kubernetes

GO-2023-1864: Kubelet vulnerable to bypass of seccomp profile enforcement in k8s.io/kubernetes

GO-2023-1891: Vulnerable to policy bypass in kube-apiserver in k8s.io/kubernetes

GO-2023-1892: Kubernetes mountable secrets policy bypass in k8s.io/kubernetes

GO-2023-2159: Kube-proxy may unintentionally forward traffic in k8s.io/kubernetes

GO-2023-2341: Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes

GO-2024-2748: Privilege Escalation in Kubernetes in k8s.io/apimachinery

GO-2024-2753: Denial of service in Kubernetes in k8s.io/kubernetes

GO-2024-2754: Sensitive Information leak for users of Ceph RBD via Log File in k8s.io/kubernetes

GO-2024-2755: Sensitive Information leak for VSphere users via Log File in k8s.io/kubernetes

GO-2024-2994: Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes

GO-2024-3277: Kubernetes Nil pointer dereference in KCM after v1 HPA patch request in k8s.io/kubernetes

GO-2025-3465: Node Denial of Service via kubelet Checkpoint API in k8s.io/kubernetes

GO-2025-3521: Kubernetes GitRepo Volume Inadvertent Local Repository Access in k8s.io/kubernetes

GO-2025-3522: Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API in k8s.io/kubernetes

GO-2025-3547: Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes

GO-2025-3915: Kubernetes Nodes can delete themselves by adding an OwnerReference in k8s.io/kubernetes

antiaffinity

package

v1.15.3 Latest Latest Go to latest Published: Aug 16, 2019 License: Apache-2.0 Imports: 6 Imported by: 38

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kubernetes/kubernetes

Links

Open Source Insights

Documentation ¶

Overview ¶

Package antiaffinity provides the LimitPodHardAntiAffinityTopology admission controller. It rejects any pod that specifies "hard" (RequiredDuringScheduling) anti-affinity with a TopologyKey other than v1.LabelHostname. Because anti-affinity is symmetric, without this admission controller, a user could maliciously or accidentally specify that their pod (once it has scheduled) should block other pods from scheduling into the same zone or some other large topology, essentially DoSing the cluster. In the future we will address this problem more fully by using quota and priority, but for now this admission controller provides a simple protection, on the assumption that the only legitimate use of hard pod anti-affinity is to exclude other pods from the same node.

Index ¶

Constants
func Register(plugins *admission.Plugins)
type Plugin
- func NewInterPodAntiAffinity() *Plugin
- func (p *Plugin) Validate(attributes admission.Attributes, o admission.ObjectInterfaces) (err error)

Constants ¶

View Source

const PluginName = "LimitPodHardAntiAffinityTopology"

PluginName is a string with the name of the plugin

Variables ¶

This section is empty.

Functions ¶

func Register ¶ added in v1.7.0

func Register(plugins *admission.Plugins)

Register registers a plugin

Types ¶

type Plugin ¶ added in v1.9.0

type Plugin struct {
	*admission.Handler
}

Plugin contains the client used by the admission controller

func NewInterPodAntiAffinity ¶

func NewInterPodAntiAffinity() *Plugin

NewInterPodAntiAffinity creates a new instance of the LimitPodHardAntiAffinityTopology admission controller

func (*Plugin) Validate ¶ added in v1.9.0

func (p *Plugin) Validate(attributes admission.Attributes, o admission.ObjectInterfaces) (err error)

Validate will deny any pod that defines AntiAffinity topology key other than v1.LabelHostname i.e. "kubernetes.io/hostname" in requiredDuringSchedulingRequiredDuringExecution and requiredDuringSchedulingIgnoredDuringExecution.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL