Affected by GO-2022-0617 and 2 other vulnerabilities

GO-2022-0617: WITHDRAWN: Potential proxy IP restriction bypass in Kubernetes in k8s.io/kubernetes

GO-2025-3521: Kubernetes GitRepo Volume Inadvertent Local Repository Access in k8s.io/kubernetes

GO-2025-3547: Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes

podcertificate

package

v1.35.0-beta.0 Latest Latest Go to latest Published: Nov 19, 2025 License: Apache-2.0 Imports: 32 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kubernetes/kubernetes

Links

Open Source Insights

Documentation ¶

Index ¶

type IssuingManager
- func NewIssuingManager(kc kubernetes.Interface, podManager PodManager, recorder record.EventRecorder, ...) *IssuingManager
type Manager
type MetricReport
type NoOpManager
type PodManager
type SignerAndState

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type IssuingManager ¶

type IssuingManager struct {
	// contains filtered or unexported fields
}

IssuingManager is the main implementation of Manager.

The core construct is a workqueue that contains one entry for each PodCertificateProjection (tracked with a podname/volumename/sourceindex tuple) in each non-mirror Pod scheduled to the node. Everytime anything interesting happens to a PodCertificateRequest or Pod, we redrive all of the potentially-affected PodCertificateProjections into the workqueue.

State is not preserved across restarts --- if Kubelet or the node restarts, then all PodCertificateProjections will be queued for immediate refresh.

Refresh is handled by periodicially redriving all PodCertificateProjections into the queue.

func NewIssuingManager ¶

func NewIssuingManager(kc kubernetes.Interface, podManager PodManager, recorder record.EventRecorder, pcrInformer certinformersv1beta1.PodCertificateRequestInformer, nodeInformer coreinformersv1.NodeInformer, nodeName types.NodeName, clock clock.WithTicker) *IssuingManager

func (*IssuingManager) ForgetPod ¶

func (m *IssuingManager) ForgetPod(ctx context.Context, pod *corev1.Pod)

ForgetPod cleans up all pod certificate credentials for the specified pod.

The pod worker will notice that the pod no longer exists and clear any pending and live credentials associated with it.

func (*IssuingManager) GetPodCertificateCredentialBundle ¶

func (m *IssuingManager) GetPodCertificateCredentialBundle(ctx context.Context, namespace, podName, podUID, volumeName string, sourceIndex int) ([]byte, []byte, error)

func (*IssuingManager) MetricReport ¶

func (m *IssuingManager) MetricReport() *MetricReport

func (*IssuingManager) Run ¶

func (m *IssuingManager) Run(ctx context.Context)

func (*IssuingManager) TrackPod ¶

func (m *IssuingManager) TrackPod(ctx context.Context, pod *corev1.Pod)

TrackPod queues the pod's podCertificate projected volume sources for processing.

type Manager ¶

type Manager interface {
	// TrackPod is called by Kubelet every time a new pod is assigned to the node.
	TrackPod(ctx context.Context, pod *corev1.Pod)
	// ForgetPod is called by Kubelet every time a pod is dropped from the node.
	ForgetPod(ctx context.Context, pod *corev1.Pod)

	// GetPodCertificateCredentialBundle is called by the volume host to
	// retrieve the credential bundle for a given pod certificate volume.
	GetPodCertificateCredentialBundle(ctx context.Context, namespace, podName, podUID, volumeName string, sourceIndex int) (privKey []byte, certChain []byte, err error)

	// MetricReport returns a snapshot of current pod certificate states for this manager.
	MetricReport() *MetricReport
}

Manager abstracts the functionality needed by Kubelet and the volume host in order to provide pod certificate functionality.

type MetricReport ¶

type MetricReport struct {
	PodCertificateStates map[SignerAndState]int
}

MetricReport contains metrics about the current state of pod certificate projected volume sources.

type NoOpManager ¶

type NoOpManager struct{}

NoOpManager is an implementation of Manager that just returns errors, meant for use in static/detached Kubelet mode.

func (*NoOpManager) ForgetPod ¶

func (m *NoOpManager) ForgetPod(ctx context.Context, pod *corev1.Pod)

func (*NoOpManager) GetPodCertificateCredentialBundle ¶

func (m *NoOpManager) GetPodCertificateCredentialBundle(ctx context.Context, namespace, podName, podUID, volumeName string, sourceIndex int) ([]byte, []byte, error)

func (*NoOpManager) MetricReport ¶

func (m *NoOpManager) MetricReport() *MetricReport

func (*NoOpManager) TrackPod ¶

func (m *NoOpManager) TrackPod(ctx context.Context, pod *corev1.Pod)

type PodManager ¶

type PodManager interface {
	GetPodByUID(uid types.UID) (*corev1.Pod, bool)
	GetPods() []*corev1.Pod
}

PodManager is a local wrapper interface for pod.Manager.

type SignerAndState ¶

type SignerAndState struct {
	SignerName string
	State      string
}

SignerAndState represents a combination of a signer name and the state of a pod certificate.

Source Files ¶

View all Source files

podcertificatemanager.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL