Affected by GO-2022-0617 and 24 other vulnerabilities

GO-2022-0617: WITHDRAWN: Potential proxy IP restriction bypass in Kubernetes in k8s.io/kubernetes

GO-2022-0703: XML Entity Expansion and Improper Input Validation in Kubernetes API server in k8s.io/kubernetes

GO-2022-0802: Kubernetes kubectl cp Vulnerable to Symlink Attack in k8s.io/kubernetes

GO-2022-0867: Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes in k8s.io/kubernetes

GO-2022-0885: Improper Authentication in Kubernetes in k8s.io/kubernetes

GO-2022-0890: Server Side Request Forgery (SSRF) in Kubernetes in k8s.io/kubernetes

GO-2022-0907: Access Restriction Bypass in kube-apiserver in k8s.io/kubernetes

GO-2022-0910: Files or Directories Accessible to External Parties in kubernetes in k8s.io/kubernetes

GO-2022-0983: ANSI escape characters not filtered in kubectl in k8s.io/kubernetes

GO-2023-1864: Kubelet vulnerable to bypass of seccomp profile enforcement in k8s.io/kubernetes

GO-2023-1891: Vulnerable to policy bypass in kube-apiserver in k8s.io/kubernetes

GO-2023-1892: Kubernetes mountable secrets policy bypass in k8s.io/kubernetes

GO-2023-2159: Kube-proxy may unintentionally forward traffic in k8s.io/kubernetes

GO-2023-2341: Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes

GO-2024-2748: Privilege Escalation in Kubernetes in k8s.io/apimachinery

GO-2024-2753: Denial of service in Kubernetes in k8s.io/kubernetes

GO-2024-2754: Sensitive Information leak for users of Ceph RBD via Log File in k8s.io/kubernetes

GO-2024-2755: Sensitive Information leak for VSphere users via Log File in k8s.io/kubernetes

GO-2024-2994: Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes

GO-2024-3277: Kubernetes Nil pointer dereference in KCM after v1 HPA patch request in k8s.io/kubernetes

GO-2025-3521: Kubernetes GitRepo Volume Inadvertent Local Repository Access in k8s.io/kubernetes

GO-2025-3522: Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API in k8s.io/kubernetes

GO-2025-3547: Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes

GO-2025-3915: Kubernetes Nodes can delete themselves by adding an OwnerReference in k8s.io/kubernetes

GO-2025-4240: Half-blind Server Side Request Forgery in kube-controller-manager through in-tree Portworx StorageClass in k8s.io/kubernetes

exec

package

v1.15.5-beta.0 Latest Latest Go to latest Published: Sep 18, 2019 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kubernetes/kubernetes

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func Register(plugins *admission.Plugins)
type DenyExec
- func NewDenyEscalatingExec() *DenyExec
- func NewDenyExecOnPrivileged() *DenyExec

Constants ¶

View Source

const (
	// DenyEscalatingExec indicates name of admission plugin.
	// Deprecated, will be removed in v1.18.
	// Use of PodSecurityPolicy or a custom admission plugin to limit creation of pods is recommended instead.
	DenyEscalatingExec = "DenyEscalatingExec"
	// DenyExecOnPrivileged indicates name of admission plugin.
	// Deprecated, will be removed in v1.18.
	// Use of PodSecurityPolicy or a custom admission plugin to limit creation of pods is recommended instead.
	DenyExecOnPrivileged = "DenyExecOnPrivileged"
)

Variables ¶

This section is empty.

Functions ¶

func Register ¶ added in v1.7.0

func Register(plugins *admission.Plugins)

Register registers a plugin

Types ¶

type DenyExec ¶ added in v1.9.0

type DenyExec struct {
	*admission.Handler
	// contains filtered or unexported fields
}

DenyExec is an implementation of admission.Interface which says no to a pod/exec on a pod using host based configurations.

func NewDenyEscalatingExec ¶

func NewDenyEscalatingExec() *DenyExec

NewDenyEscalatingExec creates a new admission controller that denies an exec operation on a pod using host based configurations.

func NewDenyExecOnPrivileged ¶

func NewDenyExecOnPrivileged() *DenyExec

NewDenyExecOnPrivileged creates a new admission controller that is only checking the privileged option. This is for legacy support of the DenyExecOnPrivileged admission controller. Most of the time NewDenyEscalatingExec should be preferred.

func (*DenyExec) SetExternalKubeClientSet ¶ added in v1.13.0

func (d *DenyExec) SetExternalKubeClientSet(client kubernetes.Interface)

SetExternalKubeClientSet implements the WantsInternalKubeClientSet interface.

func (*DenyExec) Validate ¶ added in v1.9.0

func (d *DenyExec) Validate(a admission.Attributes, o admission.ObjectInterfaces) (err error)

Validate makes an admission decision based on the request attributes

func (*DenyExec) ValidateInitialization ¶ added in v1.9.0

func (d *DenyExec) ValidateInitialization() error

ValidateInitialization implements the InitializationValidator interface.

Source Files ¶

View all Source files

admission.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL