From a2c9f8ab31e292e4978b9d82801c06968a12b0e4 Mon Sep 17 00:00:00 2001 From: Kun Zhou <156021375+Kun483@users.noreply.github.com> Date: Mon, 20 May 2024 22:53:49 -0700 Subject: [PATCH 1/3] PCP-2916: make coreDNS 1.11.1 be available to use (#135) --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 59358d05ff3e..9eb635b016dc 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/MakeNowJust/heredoc v1.0.0 github.com/Masterminds/sprig/v3 v3.2.3 github.com/blang/semver v3.5.1+incompatible - github.com/coredns/corefile-migration v1.0.20 + github.com/coredns/corefile-migration v1.0.21 github.com/davecgh/go-spew v1.1.1 github.com/docker/distribution v2.8.1+incompatible github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 diff --git a/go.sum b/go.sum index 82dcacd3beef..02d844908975 100644 --- a/go.sum +++ b/go.sum @@ -122,8 +122,8 @@ github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnht github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/coredns/caddy v1.1.0 h1:ezvsPrT/tA/7pYDBZxu0cT0VmWk75AfIaf6GSYCNMf0= github.com/coredns/caddy v1.1.0/go.mod h1:A6ntJQlAWuQfFlsd9hvigKbo2WS0VUs2l1e2F+BawD4= -github.com/coredns/corefile-migration v1.0.20 h1:MdOkT6F3ehju/n9tgxlGct8XAajOX2vN+wG7To4BWSI= -github.com/coredns/corefile-migration v1.0.20/go.mod h1:XnhgULOEouimnzgn0t4WPuFDN2/PJQcTxdWKC5eXNGE= +github.com/coredns/corefile-migration v1.0.21 h1:W/DCETrHDiFo0Wj03EyMkaQ9fwsmSgqTCQDHpceaSsE= +github.com/coredns/corefile-migration v1.0.21/go.mod h1:XnhgULOEouimnzgn0t4WPuFDN2/PJQcTxdWKC5eXNGE= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE= github.com/coreos/go-semver v0.1.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk= From 7e6530191f7ee554b74be9b23d4c3ec19d9feb21 Mon Sep 17 00:00:00 2001 From: Jayesh Srivastava Date: Thu, 27 Jun 2024 15:47:22 +0530 Subject: [PATCH 2/3] PCP-3114-3126-3127: CVE-2024-24790 Fix (#163) --- go.mod | 6 +++--- go.sum | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/go.mod b/go.mod index 9eb635b016dc..4d6f9c1ae0c1 100644 --- a/go.mod +++ b/go.mod @@ -2,7 +2,7 @@ module sigs.k8s.io/cluster-api go 1.22 -toolchain go1.22.2 +toolchain go1.22.4 require ( github.com/MakeNowJust/heredoc v1.0.0 @@ -10,7 +10,7 @@ require ( github.com/blang/semver v3.5.1+incompatible github.com/coredns/corefile-migration v1.0.21 github.com/davecgh/go-spew v1.1.1 - github.com/docker/distribution v2.8.1+incompatible + github.com/docker/distribution v2.8.2-beta.1+incompatible github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 github.com/evanphx/json-patch/v5 v5.6.0 github.com/fatih/color v1.13.0 @@ -116,7 +116,7 @@ require ( github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/procfs v0.8.0 // indirect github.com/rivo/uniseg v0.4.2 // indirect - github.com/russross/blackfriday v1.5.2 // indirect + github.com/russross/blackfriday v1.6.0 // indirect github.com/shopspring/decimal v1.3.1 // indirect github.com/spf13/afero v1.9.2 // indirect github.com/spf13/cast v1.5.0 // indirect diff --git a/go.sum b/go.sum index 02d844908975..27ac08b90dde 100644 --- a/go.sum +++ b/go.sum @@ -145,8 +145,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= -github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68= -github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= +github.com/docker/distribution v2.8.2-beta.1+incompatible h1:gILO60VLD2v28ozemv4aAwDb8ds5U2O/vD/sBXbd7Rw= +github.com/docker/distribution v2.8.2-beta.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46 h1:7QPwrLT79GlD5sizHf27aoY2RTvw62mO6x7mxkScNk0= github.com/drone/envsubst/v2 v2.0.0-20210730161058-179042472c46/go.mod h1:esf2rsHFNlZlxsqsZDojNBcnNs5REqIvRrWRHqX0vEU= @@ -509,8 +509,8 @@ github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6L github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1 h1:/FiVV8dS/e+YqF2JvO3yXRFbBLTIuSDkuC7aBOAvL+k= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/russross/blackfriday v1.5.2 h1:HyvC0ARfnZBqnXwABFeSZHpKvJHJJfPz81GNueLj0oo= -github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= +github.com/russross/blackfriday v1.6.0 h1:KqfZb0pUVN2lYqZUYRddxF4OR8ZMURnJIG5Y3VRLtww= +github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/rwcarlsen/goexif v0.0.0-20190401172101-9e8deecbddbd/go.mod h1:hPqNNc0+uJM6H+SuU8sEs5K5IQeKccPqeSjfgcKGgPk= From f6282f92dd556f231ccb7ccf40f83c24168ecd2e Mon Sep 17 00:00:00 2001 From: kun zhou Date: Thu, 8 Aug 2024 12:34:51 -0700 Subject: [PATCH 3/3] PCP-3333-newfilter: add AdditionalFilters to filter out pods that have UnreachableToleration added AdditionalFilters to filter out pods that have UnreachableToleration --- .../controllers/machine/machine_controller.go | 21 ++++++++++++++++++- .../controllers/machine/machine_helpers.go | 10 +++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/internal/controllers/machine/machine_controller.go b/internal/controllers/machine/machine_controller.go index 07ecd799c059..b954af750b53 100644 --- a/internal/controllers/machine/machine_controller.go +++ b/internal/controllers/machine/machine_controller.go @@ -57,7 +57,8 @@ import ( const ( // controllerName defines the controller used when creating clients. - controllerName = "machine-controller" + controllerName = "machine-controller" + nodeUnreachableKey = "node.kubernetes.io/unschedulable" ) var ( @@ -66,6 +67,11 @@ var ( errNoControlPlaneNodes = errors.New("no control plane members") errClusterIsBeingDeleted = errors.New("cluster is being deleted") errControlPlaneIsBeingDeleted = errors.New("control plane is being deleted") + unreachableToleration = corev1.Toleration{ + Key: nodeUnreachableKey, + Effect: corev1.TaintEffectNoSchedule, + Operator: corev1.TolerationOpExists, + } ) // +kubebuilder:rbac:groups=core,resources=events,verbs=get;list;watch;create;patch @@ -618,6 +624,9 @@ func (r *Reconciler) drainNode(ctx context.Context, cluster *clusterv1.Cluster, ErrOut: writer{func(msg string, keysAndValues ...interface{}) { log.Error(nil, msg, keysAndValues...) }}, + AdditionalFilters: []kubedrain.PodFilter{ + skipUnreachableTolerationPods, + }, // SPECTRO: Even if the node is reachable, we wait 30 minutes for drain completion else move ahead SkipWaitForDeleteTimeoutSeconds: 60 * 30, // 30 minutes } @@ -643,6 +652,16 @@ func (r *Reconciler) drainNode(ctx context.Context, cluster *clusterv1.Cluster, return ctrl.Result{}, nil } +func skipUnreachableTolerationPods(pod corev1.Pod) kubedrain.PodDeleteStatus { + if pod.Spec.Tolerations == nil { + return kubedrain.MakePodDeleteStatusOkay() + } + if HasTolerations(&pod, &unreachableToleration) { + return kubedrain.MakePodDeleteStatusSkip() + } + return kubedrain.MakePodDeleteStatusOkay() +} + // shouldWaitForNodeVolumes returns true if node status still have volumes attached // pod deletion and volume detach happen asynchronously, so pod could be deleted before volume detached from the node // this could cause issue for some storage provisioner, for example, vsphere-volume this is problematic diff --git a/internal/controllers/machine/machine_helpers.go b/internal/controllers/machine/machine_helpers.go index cc6b99a176b9..e653f582c8db 100644 --- a/internal/controllers/machine/machine_helpers.go +++ b/internal/controllers/machine/machine_helpers.go @@ -17,6 +17,7 @@ limitations under the License. package machine import ( + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" ) @@ -37,3 +38,12 @@ func HasMatchingLabels(matchSelector metav1.LabelSelector, matchLabels map[strin } return true } + +func HasTolerations(pod *corev1.Pod, toleration *corev1.Toleration) bool { + for _, t := range pod.Spec.Tolerations { + if t.MatchToleration(toleration) { + return true + } + } + return false +}