eks_cli icon indicating copy to clipboard operation
eks_cli copied to clipboard
verified publisher icon nanit

Update kubeclient requirement from = 4.1.0 to = 4.9.3

Open dependabot[bot] opened this issue 3 years ago • 1 comments

Updates the requirements on kubeclient to permit the latest version.

Changelog

Sourced from kubeclient's changelog.

4.9.3 — 2021-03-23

Fixed

  • VULNERABILITY FIX: Previously, whenever kubeconfig did not define custom CA (normal situation for production clusters with public domain and certificate!), Config was returning ssl_options[:verify_ssl] hard-coded to VERIFY_NONE :-(

    Assuming you passed those ssl_options to Kubeclient::Client, this means that instead of checking server's certificate against your system CA store, it would accept ANY certificate, allowing easy man-in-the middle attacks.

    This is especially dangerous with user/password or token credentials because MITM attacker could simply steal those credentials to the cluster and do anything you could do on the cluster.

    This was broken IN ALL RELEASES MADE BEFORE 2022, ever since Kubeclient::Config was created.

    #554.

  • Bug fix: kubeconfig insecure-skip-tls-verify field was ignored. When kubeconfig did define custom CA, Config was returning hard-coded VERIFY_PEER.

    Now we honor it, return VERIFY_NONE iff kubeconfig has explicit insecure-skip-tls-verify: true, otherwise VERIFY_PEER.

    #555.

  • Config: fixed parsing of certificate-authority file containing concatenation of several certificates. Previously, server's cert was checked against only first CA cert, resulting in possible "certificate verify failed" errors.

    An important use case is a chain of root & intermediate cert(s) - necessary when cluster's CA itself is signed by another custom CA. But also helps when you simply concatenate independent certs. (#461, #552)

    • Still broken (#460): inline certificate-authority-data is still parsed using add_cert method that handles only one cert.

These don't affect code that supplies Client parameters directly, only code that uses Config.

4.9.2 — 2021-05-30

Added

Removed

  • Reduce .gem size by dropping test/ directory, it's useless at run time (#502).

... (truncated)

Commits
  • c27893f Merge pull request #558 from cben/release-4.9.3
  • d7bc03d Bump kubeclient to 4.9.3
  • 109ea71 Merge pull request #556 from cben/v4.y-security-config-ssl_verify
  • e4cb727 CHANGELOG and README about Config verify_ssl vulnerability
  • aa36e89 SECURITY: integration tests for Config+Client verify_ssl with real cluster
  • c21e2b5 SECURITY: unit tests for Kubeclient::Config handling of ssl_options[:verify_ssl]
  • 5086eb8 Merge branch 'ancient-security-config-ssl_verify'
  • f61a4e1 Merge tag 'v4.6.0' into ancient-security-config-ssl_verify
  • 88483cf SECURITY: Kubeclient::Config: return ssl_options[:verify_ssl] correctly
  • e05c715 Merge pull request #552 from cben/v4.y-openssl-x509-store-add-file
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependabot[bot] avatar Apr 05 '22 21:04 dependabot[bot]

@nanit, I see your code uses Kubeclient::Config.read("#{ENV['HOME']}/.kube/config"). 4.9.3 fixed a severe issue in Config, in some scenarios causing insecure VERIFY_NONE connections that may leak cluster credentials — https://github.com/ManageIQ/kubeclient/issues/554

I did not test this but generally kubeclient obeys semver, AFAIK 4.9 remains backwards-compatible with 4.1.
(You may want to consider relaxing from an exact = dependency to '~> 4.9.3' allowing future 4.9.z versions, or '>= 4.9.3', '< 5.0.0' for any later 4.y.z, but that's up to you)

cben avatar Apr 12 '22 10:04 cben

Looks like kubeclient is up-to-date now, so this is no longer needed.

dependabot[bot] avatar Jan 31 '23 08:01 dependabot[bot]