diff --git a/go.mod b/go.mod index b6118c48c..cac2afaa2 100644 --- a/go.mod +++ b/go.mod @@ -21,13 +21,13 @@ require ( golang.org/x/net v0.17.0 google.golang.org/grpc v1.59.0 google.golang.org/protobuf v1.31.0 - k8s.io/api v0.28.1 - k8s.io/apimachinery v0.28.1 - k8s.io/client-go v0.28.1 - k8s.io/component-base v0.28.1 + k8s.io/api v0.28.4 + k8s.io/apimachinery v0.28.4 + k8s.io/client-go v0.28.4 + k8s.io/component-base v0.28.4 k8s.io/klog/v2 v2.100.1 - k8s.io/kubernetes v1.28.1 - k8s.io/mount-utils v0.28.1 + k8s.io/kubernetes v1.28.4 + k8s.io/mount-utils v0.28.4 k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 sigs.k8s.io/cloud-provider-azure v1.27.1-0.20230907063607-e9994a5f9c7a sigs.k8s.io/yaml v1.3.0 @@ -42,8 +42,8 @@ require ( github.com/onsi/ginkgo/v2 v2.11.0 github.com/pkg/errors v0.9.1 github.com/satori/go.uuid v1.2.0 - k8s.io/apiserver v0.28.1 - k8s.io/pod-security-admission v0.28.1 + k8s.io/apiserver v0.28.4 + k8s.io/pod-security-admission v0.28.4 ) require ( @@ -79,7 +79,7 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.0 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect - github.com/google/cel-go v0.16.0 // indirect + github.com/google/cel-go v0.16.1 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.2.0 // indirect @@ -143,13 +143,13 @@ require ( gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.0.0 // indirect - k8s.io/cloud-provider v0.28.1 // indirect - k8s.io/component-helpers v0.28.1 // indirect - k8s.io/controller-manager v0.28.1 // indirect - k8s.io/kms v0.28.1 // indirect + k8s.io/cloud-provider v0.28.4 // indirect + k8s.io/component-helpers v0.28.4 // indirect + k8s.io/controller-manager v0.28.4 // indirect + k8s.io/kms v0.28.4 // indirect k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect k8s.io/kubectl v0.0.0 // indirect - k8s.io/kubelet v0.28.1 // indirect + k8s.io/kubelet v0.28.4 // indirect sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.1.2 // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect @@ -158,31 +158,31 @@ require ( replace ( github.com/niemeyer/pretty => github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e go.etcd.io/etcd => go.etcd.io/etcd v0.0.0-20200410171415-59f5fb25a533 - k8s.io/api => k8s.io/api v0.28.1 - k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.28.1 - k8s.io/apimachinery => k8s.io/apimachinery v0.28.1 - k8s.io/apiserver => k8s.io/apiserver v0.28.1 - k8s.io/cli-runtime => k8s.io/cli-runtime v0.28.1 - k8s.io/client-go => k8s.io/client-go v0.28.1 - k8s.io/cloud-provider => k8s.io/cloud-provider v0.28.1 - k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.28.1 - k8s.io/code-generator => k8s.io/code-generator v0.28.1 - k8s.io/component-base => k8s.io/component-base v0.28.1 - k8s.io/component-helpers => k8s.io/component-helpers v0.28.1 - k8s.io/controller-manager => k8s.io/controller-manager v0.28.1 - k8s.io/cri-api => k8s.io/cri-api v0.28.1 - k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.28.1 - k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.28.1 - k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.28.1 - k8s.io/kube-proxy => k8s.io/kube-proxy v0.28.1 - k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.28.1 - k8s.io/kubectl => k8s.io/kubectl v0.28.1 - k8s.io/kubelet => k8s.io/kubelet v0.28.1 - k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.28.1 - k8s.io/metrics => k8s.io/metrics v0.28.1 - k8s.io/mount-utils => k8s.io/mount-utils v0.28.1 - k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.28.1 - k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.28.1 - k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.28.1 - k8s.io/sample-controller => k8s.io/sample-controller v0.28.1 + k8s.io/api => k8s.io/api v0.28.4 + k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.28.4 + k8s.io/apimachinery => k8s.io/apimachinery v0.28.4 + k8s.io/apiserver => k8s.io/apiserver v0.28.4 + k8s.io/cli-runtime => k8s.io/cli-runtime v0.28.4 + k8s.io/client-go => k8s.io/client-go v0.28.4 + k8s.io/cloud-provider => k8s.io/cloud-provider v0.28.4 + k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.28.4 + k8s.io/code-generator => k8s.io/code-generator v0.28.4 + k8s.io/component-base => k8s.io/component-base v0.28.4 + k8s.io/component-helpers => k8s.io/component-helpers v0.28.4 + k8s.io/controller-manager => k8s.io/controller-manager v0.28.4 + k8s.io/cri-api => k8s.io/cri-api v0.28.4 + k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.28.4 + k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.28.4 + k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.28.4 + k8s.io/kube-proxy => k8s.io/kube-proxy v0.28.4 + k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.28.4 + k8s.io/kubectl => k8s.io/kubectl v0.28.4 + k8s.io/kubelet => k8s.io/kubelet v0.28.4 + k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.28.4 + k8s.io/metrics => k8s.io/metrics v0.28.4 + k8s.io/mount-utils => k8s.io/mount-utils v0.28.4 + k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.28.4 + k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.28.4 + k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.28.4 + k8s.io/sample-controller => k8s.io/sample-controller v0.28.4 ) diff --git a/go.sum b/go.sum index 0fe77fd6d..42063626b 100644 --- a/go.sum +++ b/go.sum @@ -204,8 +204,8 @@ github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= -github.com/google/cel-go v0.16.0 h1:DG9YQ8nFCFXAs/FDDwBxmL1tpKNrdlGUM9U3537bX/Y= -github.com/google/cel-go v0.16.0/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= +github.com/google/cel-go v0.16.1 h1:3hZfSNiAU3KOiNtxuFXVp5WFy4hf/Ly3Sa4/7F8SXNo= +github.com/google/cel-go v0.16.1/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -737,41 +737,41 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg= honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k= -k8s.io/api v0.28.1 h1:i+0O8k2NPBCPYaMB+uCkseEbawEt/eFaiRqUx8aB108= -k8s.io/api v0.28.1/go.mod h1:uBYwID+66wiL28Kn2tBjBYQdEU0Xk0z5qF8bIBqk/Dg= -k8s.io/apiextensions-apiserver v0.28.1 h1:l2ThkBRjrWpw4f24uq0Da2HaEgqJZ7pcgiEUTKSmQZw= -k8s.io/apiextensions-apiserver v0.28.1/go.mod h1:sVvrI+P4vxh2YBBcm8n2ThjNyzU4BQGilCQ/JAY5kGs= -k8s.io/apimachinery v0.28.1 h1:EJD40og3GizBSV3mkIoXQBsws32okPOy+MkRyzh6nPY= -k8s.io/apimachinery v0.28.1/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw= -k8s.io/apiserver v0.28.1 h1:dw2/NKauDZCnOUAzIo2hFhtBRUo6gQK832NV8kuDbGM= -k8s.io/apiserver v0.28.1/go.mod h1:d8aizlSRB6yRgJ6PKfDkdwCy2DXt/d1FDR6iJN9kY1w= -k8s.io/client-go v0.28.1 h1:pRhMzB8HyLfVwpngWKE8hDcXRqifh1ga2Z/PU9SXVK8= -k8s.io/client-go v0.28.1/go.mod h1:pEZA3FqOsVkCc07pFVzK076R+P/eXqsgx5zuuRWukNE= -k8s.io/cloud-provider v0.28.1 h1:bR7lIRYBHqxfsOkUsY2hJ7V7vmStxb0wjJJdrID8+7I= -k8s.io/cloud-provider v0.28.1/go.mod h1:7jxsc3c15go606KLXnUq8Cy4nX1R1dxFRgn/czIJp/Q= -k8s.io/component-base v0.28.1 h1:LA4AujMlK2mr0tZbQDZkjWbdhTV5bRyEyAFe0TJxlWg= -k8s.io/component-base v0.28.1/go.mod h1:jI11OyhbX21Qtbav7JkhehyBsIRfnO8oEgoAR12ArIU= -k8s.io/component-helpers v0.28.1 h1:ts/vykhyUmPLhUl/hdLdf+a4BWA0giQ3f25HAIhl+RI= -k8s.io/component-helpers v0.28.1/go.mod h1:rHFPj33uXNbgppg+ilmjJ4oR73prZQNRRmg+utVOAb0= -k8s.io/controller-manager v0.28.1 h1:+md/3DAsdLVoMe3AewhyTxljnPLE/gyshTDZ8sX4Rf0= -k8s.io/controller-manager v0.28.1/go.mod h1:yZ8aOBpMYOBTAI/Jd0qpaUzZUlQigmtRcdYg2VgWKiU= -k8s.io/csi-translation-lib v0.28.1 h1:6EdpqKbwgJEcLxRzcGR1GnbyJrcTcUMhHTYfMwFT3LA= +k8s.io/api v0.28.4 h1:8ZBrLjwosLl/NYgv1P7EQLqoO8MGQApnbgH8tu3BMzY= +k8s.io/api v0.28.4/go.mod h1:axWTGrY88s/5YE+JSt4uUi6NMM+gur1en2REMR7IRj0= +k8s.io/apiextensions-apiserver v0.28.4 h1:AZpKY/7wQ8n+ZYDtNHbAJBb+N4AXXJvyZx6ww6yAJvU= +k8s.io/apiextensions-apiserver v0.28.4/go.mod h1:pgQIZ1U8eJSMQcENew/0ShUTlePcSGFq6dxSxf2mwPM= +k8s.io/apimachinery v0.28.4 h1:zOSJe1mc+GxuMnFzD4Z/U1wst50X28ZNsn5bhgIIao8= +k8s.io/apimachinery v0.28.4/go.mod h1:wI37ncBvfAoswfq626yPTe6Bz1c22L7uaJ8dho83mgg= +k8s.io/apiserver v0.28.4 h1:BJXlaQbAU/RXYX2lRz+E1oPe3G3TKlozMMCZWu5GMgg= +k8s.io/apiserver v0.28.4/go.mod h1:Idq71oXugKZoVGUUL2wgBCTHbUR+FYTWa4rq9j4n23w= +k8s.io/client-go v0.28.4 h1:Np5ocjlZcTrkyRJ3+T3PkXDpe4UpatQxj85+xjaD2wY= +k8s.io/client-go v0.28.4/go.mod h1:0VDZFpgoZfelyP5Wqu0/r/TRYcLYuJ2U1KEeoaPa1N4= +k8s.io/cloud-provider v0.28.4 h1:7obmeuJJ5CYTO9HANDqemf/d2v95U+F0t8aeH4jNOsQ= +k8s.io/cloud-provider v0.28.4/go.mod h1:xbhmGZ7wRHgXFP3SNsvdmFRO87KJIvirDYQA5ydMgGA= +k8s.io/component-base v0.28.4 h1:c/iQLWPdUgI90O+T9TeECg8o7N3YJTiuz2sKxILYcYo= +k8s.io/component-base v0.28.4/go.mod h1:m9hR0uvqXDybiGL2nf/3Lf0MerAfQXzkfWhUY58JUbU= +k8s.io/component-helpers v0.28.4 h1:+X9VXT5+jUsRdC26JyMZ8Fjfln7mSjgumafocE509C4= +k8s.io/component-helpers v0.28.4/go.mod h1:8LzMalOQ0K10tkBJWBWq8h0HTI9HDPx4WT3QvTFn9Ro= +k8s.io/controller-manager v0.28.4 h1:8uJmo1pD6fWYk4mC/JfZQU6zPvuCgEHf3pd5G39ldDU= +k8s.io/controller-manager v0.28.4/go.mod h1:pnO+UK2mcWNu1MxucqI8xHPD/8UBm04IUmp2u/3vbnM= +k8s.io/csi-translation-lib v0.28.4 h1:4TrU2zefZGU5HQCyPZvcPxkS6IowqZ/jBs2Qi/dPUpc= k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kms v0.28.1 h1:QLNTIc0k7Yebkt9yobj9Y9qBoRCMB4dq+pFCxVXVBnY= -k8s.io/kms v0.28.1/go.mod h1:I2TwA8oerDRInHWWBOqSUzv1EJDC1+55FQKYkxaPxh0= +k8s.io/kms v0.28.4 h1:PMgY/3CQTWP9eIKmNQiTgjLIZ0ns6O+voagzD2/4mSg= +k8s.io/kms v0.28.4/go.mod h1:HL4/lR/bhjAJPbqycKtfhWiKh1Sp21cpHOL8P4oo87w= k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= -k8s.io/kubectl v0.28.1 h1:jAq4yKEqQL+fwkWcEsUWxhJ7uIRcOYQraJxx4SyAMTY= -k8s.io/kubectl v0.28.1/go.mod h1:a0nk/lMMeKBulp0lMTJAKbkjZg1ykqfLfz/d6dnv1ak= -k8s.io/kubelet v0.28.1 h1:QRfx+jrzNgkLnMSw/nxGkAN7cjHPO446MDbjPITxLkk= -k8s.io/kubelet v0.28.1/go.mod h1:xYBbbJ0e2Rtb/hv+QFie448lFF81J990ImIptce2AHk= -k8s.io/kubernetes v1.28.1 h1:ZQuukGbpVjSbMypkjNErpbsSHni6RPgoqz+2zDBsuMY= -k8s.io/kubernetes v1.28.1/go.mod h1:rBQpjGYlLBV0KuOLw8EG45N5EBCskWiPpi0xy5liHMI= -k8s.io/mount-utils v0.28.1 h1:oyPtn8ZVxniBfwSlQaBF4fr7QVNYzUuk+gkuxEJgil0= -k8s.io/mount-utils v0.28.1/go.mod h1:AyP8LmZSLgpGdFQr+vzHTerlPiGvXUdP99n98Er47jw= -k8s.io/pod-security-admission v0.28.1 h1:d3jvo/+C6yDR1wnlX9ot1WvLyJ5R4uachJyxhdn9cW8= -k8s.io/pod-security-admission v0.28.1/go.mod h1:Qm1rSy3l96m6QXGNU/8u+cmdpNdmAeA3OYDinrXhi6U= +k8s.io/kubectl v0.28.4 h1:gWpUXW/T7aFne+rchYeHkyB8eVDl5UZce8G4X//kjUQ= +k8s.io/kubectl v0.28.4/go.mod h1:CKOccVx3l+3MmDbkXtIUtibq93nN2hkDR99XDCn7c/c= +k8s.io/kubelet v0.28.4 h1:Ypxy1jaFlSXFXbg/yVtFOU2ZxErBVRJfLu8+t4s7Dtw= +k8s.io/kubelet v0.28.4/go.mod h1:w1wPI12liY/aeC70nqKYcNNkr6/nbyvdMB7P7wmww2o= +k8s.io/kubernetes v1.28.4 h1:aRNxs5jb8FVTtlnxeA4FSDBVKuFwA8Gw40/U2zReBYA= +k8s.io/kubernetes v1.28.4/go.mod h1:BTzDCKYAlu6LL9ITbfjwgwIrJ30hlTgbv0eXDoA/WoA= +k8s.io/mount-utils v0.28.4 h1:5GOZLm2dXi2fr+MKY8hS6kdV5reXrZBiK7848O5MVD0= +k8s.io/mount-utils v0.28.4/go.mod h1:ceMAZ+Nzlk8zOwN205YXXGJRGmf1o0/XIwsKnG44p0I= +k8s.io/pod-security-admission v0.28.4 h1:b9d6zfKNjkawrO2gF7rBr5XoSZqPfE6UjKLNjgXYrr0= +k8s.io/pod-security-admission v0.28.4/go.mod h1:MVYrZx0Q6ewsZ05Ml2+Ox03HQMAVjO60oombQNmJ44E= k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= diff --git a/vendor/github.com/google/cel-go/checker/cost.go b/vendor/github.com/google/cel-go/checker/cost.go index 8ae8d18bf..ef58df766 100644 --- a/vendor/github.com/google/cel-go/checker/cost.go +++ b/vendor/github.com/google/cel-go/checker/cost.go @@ -533,14 +533,34 @@ func (c *coster) functionCost(function, overloadID string, target *AstNode, args if est := c.estimator.EstimateCallCost(function, overloadID, target, args); est != nil { callEst := *est - return CallEstimate{CostEstimate: callEst.Add(argCostSum())} + return CallEstimate{CostEstimate: callEst.Add(argCostSum()), ResultSize: est.ResultSize} } switch overloadID { // O(n) functions - case overloads.StartsWithString, overloads.EndsWithString, overloads.StringToBytes, overloads.BytesToString, overloads.ExtQuoteString, overloads.ExtFormatString: - if overloadID == overloads.ExtFormatString { + case overloads.ExtFormatString: + if target != nil { + // ResultSize not calculated because we can't bound the max size. return CallEstimate{CostEstimate: c.sizeEstimate(*target).MultiplyByCostFactor(common.StringTraversalCostFactor).Add(argCostSum())} } + case overloads.StringToBytes: + if len(args) == 1 { + sz := c.sizeEstimate(args[0]) + // ResultSize max is when each char converts to 4 bytes. + return CallEstimate{CostEstimate: sz.MultiplyByCostFactor(common.StringTraversalCostFactor).Add(argCostSum()), ResultSize: &SizeEstimate{Min: sz.Min, Max: sz.Max * 4}} + } + case overloads.BytesToString: + if len(args) == 1 { + sz := c.sizeEstimate(args[0]) + // ResultSize min is when 4 bytes convert to 1 char. + return CallEstimate{CostEstimate: sz.MultiplyByCostFactor(common.StringTraversalCostFactor).Add(argCostSum()), ResultSize: &SizeEstimate{Min: sz.Min / 4, Max: sz.Max}} + } + case overloads.ExtQuoteString: + if len(args) == 1 { + sz := c.sizeEstimate(args[0]) + // ResultSize max is when each char is escaped. 2 quote chars always added. + return CallEstimate{CostEstimate: sz.MultiplyByCostFactor(common.StringTraversalCostFactor).Add(argCostSum()), ResultSize: &SizeEstimate{Min: sz.Min + 2, Max: sz.Max*2 + 2}} + } + case overloads.StartsWithString, overloads.EndsWithString: if len(args) == 1 { return CallEstimate{CostEstimate: c.sizeEstimate(args[0]).MultiplyByCostFactor(common.StringTraversalCostFactor).Add(argCostSum())} } diff --git a/vendor/k8s.io/api/batch/v1/generated.proto b/vendor/k8s.io/api/batch/v1/generated.proto index e1bef3a46..4f0822440 100644 --- a/vendor/k8s.io/api/batch/v1/generated.proto +++ b/vendor/k8s.io/api/batch/v1/generated.proto @@ -530,6 +530,7 @@ message PodFailurePolicyRule { // as a list of pod condition patterns. The requirement is satisfied if at // least one pattern matches an actual pod condition. At most 20 elements are allowed. // +listType=atomic + // +optional repeated PodFailurePolicyOnPodConditionsPattern onPodConditions = 3; } diff --git a/vendor/k8s.io/api/batch/v1/types.go b/vendor/k8s.io/api/batch/v1/types.go index 883d193aa..8a28614c0 100644 --- a/vendor/k8s.io/api/batch/v1/types.go +++ b/vendor/k8s.io/api/batch/v1/types.go @@ -236,6 +236,7 @@ type PodFailurePolicyRule struct { // as a list of pod condition patterns. The requirement is satisfied if at // least one pattern matches an actual pod condition. At most 20 elements are allowed. // +listType=atomic + // +optional OnPodConditions []PodFailurePolicyOnPodConditionsPattern `json:"onPodConditions" protobuf:"bytes,3,opt,name=onPodConditions"` } diff --git a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go index d738725ca..3674914f7 100644 --- a/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go +++ b/vendor/k8s.io/apimachinery/pkg/util/runtime/runtime.go @@ -126,14 +126,17 @@ type rudimentaryErrorBackoff struct { // OnError will block if it is called more often than the embedded period time. // This will prevent overly tight hot error loops. func (r *rudimentaryErrorBackoff) OnError(error) { + now := time.Now() // start the timer before acquiring the lock r.lastErrorTimeLock.Lock() - defer r.lastErrorTimeLock.Unlock() - d := time.Since(r.lastErrorTime) - if d < r.minPeriod { - // If the time moves backwards for any reason, do nothing - time.Sleep(r.minPeriod - d) - } + d := now.Sub(r.lastErrorTime) r.lastErrorTime = time.Now() + r.lastErrorTimeLock.Unlock() + + // Do not sleep with the lock held because that causes all callers of HandleError to block. + // We only want the current goroutine to block. + // A negative or zero duration causes time.Sleep to return immediately. + // If the time moves backwards for any reason, do nothing. + time.Sleep(r.minPeriod - d) } // GetCaller returns the caller of the function that calls it. diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go index af237ae0c..437e53dc9 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/mutating/dispatcher.go @@ -20,6 +20,7 @@ package mutating import ( "context" + "errors" "fmt" "time" @@ -168,13 +169,12 @@ func (a *mutatingDispatcher) Dispatch(ctx context.Context, attr admission.Attrib if err != nil { switch err := err.(type) { case *webhookutil.ErrCallingWebhook: - if ctx.Err() == context.Canceled { - klog.Warningf("Context Canceled when calling webhook %v", hook.Name) - return err - } if !ignoreClientCallFailures { rejected = true - admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "admit", string(versionedAttr.Attributes.GetOperation()), admissionmetrics.WebhookRejectionCallingWebhookError, int(err.Status.ErrStatus.Code)) + // Ignore context cancelled from webhook metrics + if !errors.Is(err.Reason, context.Canceled) { + admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "admit", string(versionedAttr.Attributes.GetOperation()), admissionmetrics.WebhookRejectionCallingWebhookError, int(err.Status.ErrStatus.Code)) + } } admissionmetrics.Metrics.ObserveWebhook(ctx, hook.Name, time.Since(t), rejected, versionedAttr.Attributes, "admit", int(err.Status.ErrStatus.Code)) case *webhookutil.ErrWebhookRejection: @@ -203,10 +203,14 @@ func (a *mutatingDispatcher) Dispatch(ctx context.Context, attr admission.Attrib if callErr, ok := err.(*webhookutil.ErrCallingWebhook); ok { if ignoreClientCallFailures { - klog.Warningf("Failed calling webhook, failing open %v: %v", hook.Name, callErr) - admissionmetrics.Metrics.ObserveWebhookFailOpen(ctx, hook.Name, "admit") - annotator.addFailedOpenAnnotation() - + // Ignore context cancelled from webhook metrics + if errors.Is(callErr.Reason, context.Canceled) { + klog.Warningf("Context canceled when calling webhook %v", hook.Name) + } else { + klog.Warningf("Failed calling webhook, failing open %v: %v", hook.Name, callErr) + admissionmetrics.Metrics.ObserveWebhookFailOpen(ctx, hook.Name, "admit") + annotator.addFailedOpenAnnotation() + } utilruntime.HandleError(callErr) select { diff --git a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/dispatcher.go b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/dispatcher.go index af435649b..1a633d241 100644 --- a/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/dispatcher.go +++ b/vendor/k8s.io/apiserver/pkg/admission/plugin/webhook/validating/dispatcher.go @@ -18,6 +18,7 @@ package validating import ( "context" + "errors" "fmt" "sync" "time" @@ -173,13 +174,12 @@ func (d *validatingDispatcher) Dispatch(ctx context.Context, attr admission.Attr if err != nil { switch err := err.(type) { case *webhookutil.ErrCallingWebhook: - if ctx.Err() == context.Canceled { - klog.Warningf("Context Canceled when calling webhook %v", hook.Name) - return - } if !ignoreClientCallFailures { rejected = true - admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "validating", string(versionedAttr.Attributes.GetOperation()), admissionmetrics.WebhookRejectionCallingWebhookError, int(err.Status.ErrStatus.Code)) + // Ignore context cancelled from webhook metrics + if !errors.Is(err.Reason, context.Canceled) { + admissionmetrics.Metrics.ObserveWebhookRejection(ctx, hook.Name, "validating", string(versionedAttr.Attributes.GetOperation()), admissionmetrics.WebhookRejectionCallingWebhookError, int(err.Status.ErrStatus.Code)) + } } admissionmetrics.Metrics.ObserveWebhook(ctx, hook.Name, time.Since(t), rejected, versionedAttr.Attributes, "validating", int(err.Status.ErrStatus.Code)) case *webhookutil.ErrWebhookRejection: @@ -198,12 +198,17 @@ func (d *validatingDispatcher) Dispatch(ctx context.Context, attr admission.Attr if callErr, ok := err.(*webhookutil.ErrCallingWebhook); ok { if ignoreClientCallFailures { - klog.Warningf("Failed calling webhook, failing open %v: %v", hook.Name, callErr) - admissionmetrics.Metrics.ObserveWebhookFailOpen(ctx, hook.Name, "validating") - key := fmt.Sprintf("%sround_0_index_%d", ValidatingAuditAnnotationFailedOpenKeyPrefix, idx) - value := hook.Name - if err := versionedAttr.Attributes.AddAnnotation(key, value); err != nil { - klog.Warningf("Failed to set admission audit annotation %s to %s for validating webhook %s: %v", key, value, hook.Name, err) + // Ignore context cancelled from webhook metrics + if errors.Is(callErr.Reason, context.Canceled) { + klog.Warningf("Context canceled when calling webhook %v", hook.Name) + } else { + klog.Warningf("Failed calling webhook, failing open %v: %v", hook.Name, callErr) + admissionmetrics.Metrics.ObserveWebhookFailOpen(ctx, hook.Name, "validating") + key := fmt.Sprintf("%sround_0_index_%d", ValidatingAuditAnnotationFailedOpenKeyPrefix, idx) + value := hook.Name + if err := versionedAttr.Attributes.AddAnnotation(key, value); err != nil { + klog.Warningf("Failed to set admission audit annotation %s to %s for validating webhook %s: %v", key, value, hook.Name, err) + } } utilruntime.HandleError(callErr) return diff --git a/vendor/k8s.io/apiserver/pkg/cel/library/cost.go b/vendor/k8s.io/apiserver/pkg/cel/library/cost.go index 5201d187b..3d1b3fbb2 100644 --- a/vendor/k8s.io/apiserver/pkg/cel/library/cost.go +++ b/vendor/k8s.io/apiserver/pkg/cel/library/cost.go @@ -126,13 +126,51 @@ func (l *CostEstimator) EstimateCallCost(function, overloadId string, target *ch sz := l.sizeEstimate(*target) toReplaceSz := l.sizeEstimate(args[0]) replaceWithSz := l.sizeEstimate(args[1]) - // smallest possible result: smallest input size composed of the largest possible substrings being replaced by smallest possible replacement - minSz := uint64(math.Ceil(float64(sz.Min)/float64(toReplaceSz.Max))) * replaceWithSz.Min - // largest possible result: largest input size composed of the smallest possible substrings being replaced by largest possible replacement - maxSz := uint64(math.Ceil(float64(sz.Max)/float64(toReplaceSz.Min))) * replaceWithSz.Max + + var replaceCount, retainedSz checker.SizeEstimate + // find the longest replacement: + if toReplaceSz.Min == 0 { + // if the string being replaced is empty, replace surrounds all characters in the input string with the replacement. + if sz.Max < math.MaxUint64 { + replaceCount.Max = sz.Max + 1 + } else { + replaceCount.Max = sz.Max + } + // Include the length of the longest possible original string length. + retainedSz.Max = sz.Max + } else if replaceWithSz.Max <= toReplaceSz.Min { + // If the replacement does not make the result longer, use the original string length. + replaceCount.Max = 0 + retainedSz.Max = sz.Max + } else { + // Replace the smallest possible substrings with the largest possible replacement + // as many times as possible. + replaceCount.Max = uint64(math.Ceil(float64(sz.Max) / float64(toReplaceSz.Min))) + } + + // find the shortest replacement: + if toReplaceSz.Max == 0 { + // if the string being replaced is empty, replace surrounds all characters in the input string with the replacement. + if sz.Min < math.MaxUint64 { + replaceCount.Min = sz.Min + 1 + } else { + replaceCount.Min = sz.Min + } + // Include the length of the shortest possible original string length. + retainedSz.Min = sz.Min + } else if toReplaceSz.Max <= replaceWithSz.Min { + // If the replacement does not make the result shorter, use the original string length. + replaceCount.Min = 0 + retainedSz.Min = sz.Min + } else { + // Replace the largest possible substrings being with the smallest possible replacement + // as many times as possible. + replaceCount.Min = uint64(math.Ceil(float64(sz.Min) / float64(toReplaceSz.Max))) + } + size := replaceCount.Multiply(replaceWithSz).Add(retainedSz) // cost is the traversal plus the construction of the result - return &checker.CallEstimate{CostEstimate: sz.MultiplyByCostFactor(2 * common.StringTraversalCostFactor), ResultSize: &checker.SizeEstimate{Min: minSz, Max: maxSz}} + return &checker.CallEstimate{CostEstimate: sz.MultiplyByCostFactor(2 * common.StringTraversalCostFactor), ResultSize: &size} } case "split": if target != nil { diff --git a/vendor/k8s.io/apiserver/pkg/endpoints/filters/authentication.go b/vendor/k8s.io/apiserver/pkg/endpoints/filters/authentication.go index 277bdcdfe..64b3569d0 100644 --- a/vendor/k8s.io/apiserver/pkg/endpoints/filters/authentication.go +++ b/vendor/k8s.io/apiserver/pkg/endpoints/filters/authentication.go @@ -29,8 +29,11 @@ import ( "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/authenticatorfactory" "k8s.io/apiserver/pkg/authentication/request/headerrequest" + "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/endpoints/handlers/responsewriters" genericapirequest "k8s.io/apiserver/pkg/endpoints/request" + genericfeatures "k8s.io/apiserver/pkg/features" + utilfeature "k8s.io/apiserver/pkg/util/feature" "k8s.io/klog/v2" ) @@ -101,6 +104,18 @@ func withAuthentication(handler http.Handler, auth authenticator.Request, failed ) } + // http2 is an expensive protocol that is prone to abuse, + // see CVE-2023-44487 and CVE-2023-39325 for an example. + // Do not allow unauthenticated clients to keep these + // connections open (i.e. basically degrade them to the + // performance of http1 with keep-alive disabled). + if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.UnauthenticatedHTTP2DOSMitigation) && req.ProtoMajor == 2 && isAnonymousUser(resp.User) { + // limit this connection to just this request, + // and then send a GOAWAY and tear down the TCP connection + // https://github.com/golang/net/commit/97aa3a539ec716117a9d15a4659a911f50d13c3c + w.Header().Set("Connection", "close") + } + req = req.WithContext(genericapirequest.WithUser(req.Context(), resp.User)) handler.ServeHTTP(w, req) }) @@ -108,6 +123,17 @@ func withAuthentication(handler http.Handler, auth authenticator.Request, failed func Unauthorized(s runtime.NegotiatedSerializer) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + // http2 is an expensive protocol that is prone to abuse, + // see CVE-2023-44487 and CVE-2023-39325 for an example. + // Do not allow unauthenticated clients to keep these + // connections open (i.e. basically degrade them to the + // performance of http1 with keep-alive disabled). + if utilfeature.DefaultFeatureGate.Enabled(genericfeatures.UnauthenticatedHTTP2DOSMitigation) && req.ProtoMajor == 2 { + // limit this connection to just this request, + // and then send a GOAWAY and tear down the TCP connection + // https://github.com/golang/net/commit/97aa3a539ec716117a9d15a4659a911f50d13c3c + w.Header().Set("Connection", "close") + } ctx := req.Context() requestInfo, found := genericapirequest.RequestInfoFrom(ctx) if !found { @@ -127,3 +153,15 @@ func audiencesAreAcceptable(apiAuds, responseAudiences authenticator.Audiences) return len(apiAuds.Intersect(responseAudiences)) > 0 } + +func isAnonymousUser(u user.Info) bool { + if u.GetName() == user.Anonymous { + return true + } + for _, group := range u.GetGroups() { + if group == user.AllUnauthenticated { + return true + } + } + return false +} diff --git a/vendor/k8s.io/apiserver/pkg/features/kube_features.go b/vendor/k8s.io/apiserver/pkg/features/kube_features.go index f1d1879ec..2276e2daf 100644 --- a/vendor/k8s.io/apiserver/pkg/features/kube_features.go +++ b/vendor/k8s.io/apiserver/pkg/features/kube_features.go @@ -182,6 +182,24 @@ const ( // Enables server-side field validation. ServerSideFieldValidation featuregate.Feature = "ServerSideFieldValidation" + // owner: @enj + // beta: v1.29 + // + // Enables http2 DOS mitigations for unauthenticated clients. + // + // Some known reasons to disable these mitigations: + // + // An API server that is fronted by an L7 load balancer that is set up + // to mitigate http2 attacks may opt to disable this protection to prevent + // unauthenticated clients from disabling connection reuse between the load + // balancer and the API server (many incoming connections could share the + // same backend connection). + // + // An API server that is on a private network may opt to disable this + // protection to prevent performance regressions for unauthenticated + // clients. + UnauthenticatedHTTP2DOSMitigation featuregate.Feature = "UnauthenticatedHTTP2DOSMitigation" + // owner: @caesarxuchao @roycaihw // alpha: v1.20 // @@ -276,6 +294,8 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS StorageVersionHash: {Default: true, PreRelease: featuregate.Beta}, + UnauthenticatedHTTP2DOSMitigation: {Default: false, PreRelease: featuregate.Beta}, + WatchBookmark: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, InPlacePodVerticalScaling: {Default: false, PreRelease: featuregate.Alpha}, diff --git a/vendor/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go b/vendor/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go index 13819bf90..fcb41942f 100644 --- a/vendor/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go +++ b/vendor/k8s.io/apiserver/pkg/server/options/encryptionconfig/config.go @@ -43,12 +43,13 @@ import ( "k8s.io/apiserver/pkg/apis/config/validation" "k8s.io/apiserver/pkg/features" "k8s.io/apiserver/pkg/server/healthz" + "k8s.io/apiserver/pkg/server/options/encryptionconfig/metrics" storagevalue "k8s.io/apiserver/pkg/storage/value" aestransformer "k8s.io/apiserver/pkg/storage/value/encrypt/aes" "k8s.io/apiserver/pkg/storage/value/encrypt/envelope" envelopekmsv2 "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2" kmstypes "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/kmsv2/v2" - "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics" + envelopemetrics "k8s.io/apiserver/pkg/storage/value/encrypt/envelope/metrics" "k8s.io/apiserver/pkg/storage/value/encrypt/identity" "k8s.io/apiserver/pkg/storage/value/encrypt/secretbox" utilfeature "k8s.io/apiserver/pkg/util/feature" @@ -104,6 +105,12 @@ const ( kmsReloadHealthCheckName = "kms-providers" ) +func init() { + metrics.RegisterMetrics() + storagevalue.RegisterMetrics() + envelopemetrics.RegisterMetrics() +} + type kmsPluginHealthzResponse struct { err error received time.Time @@ -445,10 +452,10 @@ func (h *kmsv2PluginProbe) isKMSv2ProviderHealthyAndMaybeRotateDEK(ctx context.C } if errCode, err := envelopekmsv2.ValidateKeyID(response.KeyID); err != nil { - metrics.RecordInvalidKeyIDFromStatus(h.name, string(errCode)) + envelopemetrics.RecordInvalidKeyIDFromStatus(h.name, string(errCode)) errs = append(errs, fmt.Errorf("got invalid KMSv2 KeyID hash %q: %w", envelopekmsv2.GetHashIfNotEmpty(response.KeyID), err)) } else { - metrics.RecordKeyIDFromStatus(h.name, response.KeyID) + envelopemetrics.RecordKeyIDFromStatus(h.name, response.KeyID) // unconditionally append as we filter out nil errors below errs = append(errs, h.rotateDEKOnKeyIDChange(ctx, response.KeyID, string(uuid.NewUUID()))) } diff --git a/vendor/k8s.io/apiserver/pkg/server/secure_serving.go b/vendor/k8s.io/apiserver/pkg/server/secure_serving.go index 64bcc87eb..0a4fdc693 100644 --- a/vendor/k8s.io/apiserver/pkg/server/secure_serving.go +++ b/vendor/k8s.io/apiserver/pkg/server/secure_serving.go @@ -189,7 +189,10 @@ func (s *SecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Dur if s.HTTP2MaxStreamsPerConnection > 0 { http2Options.MaxConcurrentStreams = uint32(s.HTTP2MaxStreamsPerConnection) } else { - http2Options.MaxConcurrentStreams = 250 + // match http2.initialMaxConcurrentStreams used by clients + // this makes it so that a malicious client can only open 400 streams before we forcibly close the connection + // https://github.com/golang/net/commit/b225e7ca6dde1ef5a5ae5ce922861bda011cfabd + http2Options.MaxConcurrentStreams = 100 } // increase the connection buffer size from the 1MB default to handle the specified number of concurrent streams diff --git a/vendor/k8s.io/apiserver/pkg/storage/storagebackend/factory/etcd3.go b/vendor/k8s.io/apiserver/pkg/storage/storagebackend/factory/etcd3.go index 5736abf63..94cb3710b 100644 --- a/vendor/k8s.io/apiserver/pkg/storage/storagebackend/factory/etcd3.go +++ b/vendor/k8s.io/apiserver/pkg/storage/storagebackend/factory/etcd3.go @@ -157,10 +157,10 @@ func newETCD3Check(c storagebackend.Config, timeout time.Duration, stopCh <-chan var prober *etcd3ProberMonitor clientErr := fmt.Errorf("etcd client connection not yet established") - go wait.PollUntil(time.Second, func() (bool, error) { - newProber, err := newETCD3ProberMonitor(c) + go wait.PollImmediateUntil(time.Second, func() (bool, error) { lock.Lock() defer lock.Unlock() + newProber, err := newETCD3ProberMonitor(c) // Ensure that server is already not shutting down. select { case <-stopCh: diff --git a/vendor/k8s.io/client-go/discovery/discovery_client.go b/vendor/k8s.io/client-go/discovery/discovery_client.go index a4f083a1a..102ce49bf 100644 --- a/vendor/k8s.io/client-go/discovery/discovery_client.go +++ b/vendor/k8s.io/client-go/discovery/discovery_client.go @@ -67,6 +67,9 @@ const ( acceptDiscoveryFormats = AcceptV2Beta1 + "," + AcceptV1 ) +// Aggregated discovery content-type GVK. +var v2Beta1GVK = schema.GroupVersionKind{Group: "apidiscovery.k8s.io", Version: "v2beta1", Kind: "APIGroupDiscoveryList"} + // DiscoveryInterface holds the methods that discover server-supported API groups, // versions and resources. type DiscoveryInterface interface { @@ -260,16 +263,15 @@ func (d *DiscoveryClient) downloadLegacy() ( } var resourcesByGV map[schema.GroupVersion]*metav1.APIResourceList - // Switch on content-type server responded with: aggregated or unaggregated. - switch { - case isV2Beta1ContentType(responseContentType): + // Based on the content-type server responded with: aggregated or unaggregated. + if isGVK, _ := ContentTypeIsGVK(responseContentType, v2Beta1GVK); isGVK { var aggregatedDiscovery apidiscovery.APIGroupDiscoveryList err = json.Unmarshal(body, &aggregatedDiscovery) if err != nil { return nil, nil, nil, err } apiGroupList, resourcesByGV, failedGVs = SplitGroupsAndResources(aggregatedDiscovery) - default: + } else { // Default is unaggregated discovery v1. var v metav1.APIVersions err = json.Unmarshal(body, &v) @@ -313,16 +315,15 @@ func (d *DiscoveryClient) downloadAPIs() ( apiGroupList := &metav1.APIGroupList{} failedGVs := map[schema.GroupVersion]error{} var resourcesByGV map[schema.GroupVersion]*metav1.APIResourceList - // Switch on content-type server responded with: aggregated or unaggregated. - switch { - case isV2Beta1ContentType(responseContentType): + // Based on the content-type server responded with: aggregated or unaggregated. + if isGVK, _ := ContentTypeIsGVK(responseContentType, v2Beta1GVK); isGVK { var aggregatedDiscovery apidiscovery.APIGroupDiscoveryList err = json.Unmarshal(body, &aggregatedDiscovery) if err != nil { return nil, nil, nil, err } apiGroupList, resourcesByGV, failedGVs = SplitGroupsAndResources(aggregatedDiscovery) - default: + } else { // Default is unaggregated discovery v1. err = json.Unmarshal(body, apiGroupList) if err != nil { @@ -333,26 +334,29 @@ func (d *DiscoveryClient) downloadAPIs() ( return apiGroupList, resourcesByGV, failedGVs, nil } -// isV2Beta1ContentType checks of the content-type string is both -// "application/json" and contains the v2beta1 content-type params. +// ContentTypeIsGVK checks of the content-type string is both +// "application/json" and matches the provided GVK. An error +// is returned if the content type string is malformed. // NOTE: This function is resilient to the ordering of the // content-type parameters, as well as parameters added by // intermediaries such as proxies or gateways. Examples: // -// "application/json; g=apidiscovery.k8s.io;v=v2beta1;as=APIGroupDiscoveryList" = true -// "application/json; as=APIGroupDiscoveryList;v=v2beta1;g=apidiscovery.k8s.io" = true -// "application/json; as=APIGroupDiscoveryList;v=v2beta1;g=apidiscovery.k8s.io;charset=utf-8" = true -// "application/json" = false -// "application/json; charset=UTF-8" = false -func isV2Beta1ContentType(contentType string) bool { +// ("application/json; g=apidiscovery.k8s.io;v=v2beta1;as=APIGroupDiscoveryList", {apidiscovery.k8s.io, v2beta1, APIGroupDiscoveryList}) = (true, nil) +// ("application/json; as=APIGroupDiscoveryList;v=v2beta1;g=apidiscovery.k8s.io", {apidiscovery.k8s.io, v2beta1, APIGroupDiscoveryList}) = (true, nil) +// ("application/json; as=APIGroupDiscoveryList;v=v2beta1;g=apidiscovery.k8s.io;charset=utf-8", {apidiscovery.k8s.io, v2beta1, APIGroupDiscoveryList}) = (true, nil) +// ("application/json", any GVK) = (false, nil) +// ("application/json; charset=UTF-8", any GVK) = (false, nil) +// ("malformed content type string", any GVK) = (false, error) +func ContentTypeIsGVK(contentType string, gvk schema.GroupVersionKind) (bool, error) { base, params, err := mime.ParseMediaType(contentType) if err != nil { - return false + return false, err } - return runtime.ContentTypeJSON == base && - params["g"] == "apidiscovery.k8s.io" && - params["v"] == "v2beta1" && - params["as"] == "APIGroupDiscoveryList" + gvkMatch := runtime.ContentTypeJSON == base && + params["g"] == gvk.Group && + params["v"] == gvk.Version && + params["as"] == gvk.Kind + return gvkMatch, nil } // ServerGroups returns the supported groups, with information like supported versions and the diff --git a/vendor/k8s.io/kubernetes/pkg/apis/batch/types.go b/vendor/k8s.io/kubernetes/pkg/apis/batch/types.go index a3a8caf03..cb5e6eb22 100644 --- a/vendor/k8s.io/kubernetes/pkg/apis/batch/types.go +++ b/vendor/k8s.io/kubernetes/pkg/apis/batch/types.go @@ -241,6 +241,7 @@ type PodFailurePolicyRule struct { // as a list of pod condition patterns. The requirement is satisfied if at // least one pattern matches an actual pod condition. At most 20 elements are allowed. // +listType=atomic + // +optional OnPodConditions []PodFailurePolicyOnPodConditionsPattern } diff --git a/vendor/k8s.io/kubernetes/pkg/features/kube_features.go b/vendor/k8s.io/kubernetes/pkg/features/kube_features.go index 8b27be3f3..56791b47c 100644 --- a/vendor/k8s.io/kubernetes/pkg/features/kube_features.go +++ b/vendor/k8s.io/kubernetes/pkg/features/kube_features.go @@ -1210,6 +1210,8 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS genericfeatures.ServerSideFieldValidation: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.29 + genericfeatures.UnauthenticatedHTTP2DOSMitigation: {Default: false, PreRelease: featuregate.Beta}, + // inherited features from apiextensions-apiserver, relisted here to get a conflict if it is changed // unintentionally on either side: diff --git a/vendor/k8s.io/kubernetes/test/e2e/framework/pod/wait.go b/vendor/k8s.io/kubernetes/test/e2e/framework/pod/wait.go index 5b019cce1..6aa1b1be3 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/framework/pod/wait.go +++ b/vendor/k8s.io/kubernetes/test/e2e/framework/pod/wait.go @@ -581,10 +581,11 @@ func WaitForPodsResponding(ctx context.Context, c clientset.Interface, ns string if err != nil { // We may encounter errors here because of a race between the pod readiness and apiserver - // proxy. So, we log the error and retry if this occurs. - return nil, fmt.Errorf("Controller %s: failed to Get from replica pod %s:\n%s\nPod status:\n%s", + // proxy or because of temporary failures. The error gets wrapped for framework.HandleRetry. + // Gomega+Ginkgo will handle logging. + return nil, fmt.Errorf("controller %s: failed to Get from replica pod %s:\n%w\nPod status:\n%s", controllerName, pod.Name, - format.Object(err, 1), format.Object(pod.Status, 1)) + err, format.Object(pod.Status, 1)) } responses = append(responses, response{podName: pod.Name, response: string(body)}) } diff --git a/vendor/k8s.io/kubernetes/test/e2e/framework/util.go b/vendor/k8s.io/kubernetes/test/e2e/framework/util.go index 8182bc11d..f10e3254c 100644 --- a/vendor/k8s.io/kubernetes/test/e2e/framework/util.go +++ b/vendor/k8s.io/kubernetes/test/e2e/framework/util.go @@ -436,6 +436,13 @@ func WaitForServiceEndpointsNum(ctx context.Context, c clientset.Interface, name return false, nil } + // Endpoints are single family but EndpointSlices can have dual stack addresses, + // so we verify the number of addresses that matches the same family on both. + addressType := discoveryv1.AddressTypeIPv4 + if isIPv6Endpoint(endpoint) { + addressType = discoveryv1.AddressTypeIPv6 + } + esList, err := c.DiscoveryV1().EndpointSlices(namespace).List(ctx, metav1.ListOptions{LabelSelector: fmt.Sprintf("%s=%s", discoveryv1.LabelServiceName, serviceName)}) if err != nil { Logf("Unexpected error trying to get EndpointSlices for %s : %v", serviceName, err) @@ -447,8 +454,8 @@ func WaitForServiceEndpointsNum(ctx context.Context, c clientset.Interface, name return false, nil } - if countEndpointsSlicesNum(esList) != expectNum { - Logf("Unexpected number of Endpoints on Slices, got %d, expected %d", countEndpointsSlicesNum(esList), expectNum) + if countEndpointsSlicesNum(esList, addressType) != expectNum { + Logf("Unexpected number of Endpoints on Slices, got %d, expected %d", countEndpointsSlicesNum(esList, addressType), expectNum) return false, nil } return true, nil @@ -463,10 +470,28 @@ func countEndpointsNum(e *v1.Endpoints) int { return num } -func countEndpointsSlicesNum(epList *discoveryv1.EndpointSliceList) int { +// isIPv6Endpoint returns true if the Endpoint uses IPv6 addresses +func isIPv6Endpoint(e *v1.Endpoints) bool { + for _, sub := range e.Subsets { + for _, addr := range sub.Addresses { + if len(addr.IP) == 0 { + continue + } + // Endpoints are single family, so it is enough to check only one address + return netutils.IsIPv6String(addr.IP) + } + } + // default to IPv4 an Endpoint without IP addresses + return false +} + +func countEndpointsSlicesNum(epList *discoveryv1.EndpointSliceList, addressType discoveryv1.AddressType) int { // EndpointSlices can contain the same address on multiple Slices addresses := sets.Set[string]{} for _, epSlice := range epList.Items { + if epSlice.AddressType != addressType { + continue + } for _, ep := range epSlice.Endpoints { if len(ep.Addresses) > 0 { addresses.Insert(ep.Addresses[0]) diff --git a/vendor/k8s.io/mount-utils/mount_windows.go b/vendor/k8s.io/mount-utils/mount_windows.go index 02a963b1b..be714646e 100644 --- a/vendor/k8s.io/mount-utils/mount_windows.go +++ b/vendor/k8s.io/mount-utils/mount_windows.go @@ -150,12 +150,12 @@ func (mounter *Mounter) MountSensitive(source string, target string, fstype stri mklinkSource = mklinkSource + "\\" } - output, err := exec.Command("cmd", "/c", "mklink", "/D", target, mklinkSource).CombinedOutput() + err := os.Symlink(mklinkSource, target) if err != nil { - klog.Errorf("mklink failed: %v, source(%q) target(%q) output: %q", err, mklinkSource, target, string(output)) + klog.Errorf("symlink failed: %v, source(%q) target(%q)", err, mklinkSource, target) return err } - klog.V(2).Infof("mklink source(%q) on target(%q) successfully, output: %q", mklinkSource, target, string(output)) + klog.V(2).Infof("symlink source(%q) on target(%q) successfully", mklinkSource, target) return nil } @@ -219,8 +219,9 @@ func removeSMBMapping(remotepath string) (string, error) { func (mounter *Mounter) Unmount(target string) error { klog.V(4).Infof("Unmount target (%q)", target) target = NormalizeWindowsPath(target) - if output, err := exec.Command("cmd", "/c", "rmdir", target).CombinedOutput(); err != nil { - klog.Errorf("rmdir failed: %v, output: %q", err, string(output)) + + if err := os.Remove(target); err != nil { + klog.Errorf("removing directory %s failed: %v", target, err) return err } return nil diff --git a/vendor/modules.txt b/vendor/modules.txt index 31742280e..4fc8f1514 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -218,7 +218,7 @@ github.com/golang/protobuf/ptypes/any github.com/golang/protobuf/ptypes/duration github.com/golang/protobuf/ptypes/timestamp github.com/golang/protobuf/ptypes/wrappers -# github.com/google/cel-go v0.16.0 +# github.com/google/cel-go v0.16.1 ## explicit; go 1.18 github.com/google/cel-go/cel github.com/google/cel-go/checker @@ -726,7 +726,7 @@ gopkg.in/yaml.v2 # gopkg.in/yaml.v3 v3.0.1 ## explicit gopkg.in/yaml.v3 -# k8s.io/api v0.28.1 => k8s.io/api v0.28.1 +# k8s.io/api v0.28.4 => k8s.io/api v0.28.4 ## explicit; go 1.20 k8s.io/api/admission/v1 k8s.io/api/admission/v1beta1 @@ -782,12 +782,12 @@ k8s.io/api/scheduling/v1beta1 k8s.io/api/storage/v1 k8s.io/api/storage/v1alpha1 k8s.io/api/storage/v1beta1 -# k8s.io/apiextensions-apiserver v0.0.0 => k8s.io/apiextensions-apiserver v0.28.1 +# k8s.io/apiextensions-apiserver v0.0.0 => k8s.io/apiextensions-apiserver v0.28.4 ## explicit; go 1.20 k8s.io/apiextensions-apiserver/pkg/apis/apiextensions k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1 k8s.io/apiextensions-apiserver/pkg/features -# k8s.io/apimachinery v0.28.1 => k8s.io/apimachinery v0.28.1 +# k8s.io/apimachinery v0.28.4 => k8s.io/apimachinery v0.28.4 ## explicit; go 1.20 k8s.io/apimachinery/pkg/api/equality k8s.io/apimachinery/pkg/api/errors @@ -849,7 +849,7 @@ k8s.io/apimachinery/pkg/watch k8s.io/apimachinery/third_party/forked/golang/json k8s.io/apimachinery/third_party/forked/golang/netutil k8s.io/apimachinery/third_party/forked/golang/reflect -# k8s.io/apiserver v0.28.1 => k8s.io/apiserver v0.28.1 +# k8s.io/apiserver v0.28.4 => k8s.io/apiserver v0.28.4 ## explicit; go 1.20 k8s.io/apiserver/pkg/admission k8s.io/apiserver/pkg/admission/cel @@ -994,7 +994,7 @@ k8s.io/apiserver/plugin/pkg/audit/truncate k8s.io/apiserver/plugin/pkg/audit/webhook k8s.io/apiserver/plugin/pkg/authenticator/token/webhook k8s.io/apiserver/plugin/pkg/authorizer/webhook -# k8s.io/client-go v0.28.1 => k8s.io/client-go v0.28.1 +# k8s.io/client-go v0.28.4 => k8s.io/client-go v0.28.4 ## explicit; go 1.20 k8s.io/client-go/applyconfigurations/admissionregistration/v1 k8s.io/client-go/applyconfigurations/admissionregistration/v1alpha1 @@ -1315,7 +1315,7 @@ k8s.io/client-go/util/homedir k8s.io/client-go/util/keyutil k8s.io/client-go/util/retry k8s.io/client-go/util/workqueue -# k8s.io/cloud-provider v0.28.1 => k8s.io/cloud-provider v0.28.1 +# k8s.io/cloud-provider v0.28.4 => k8s.io/cloud-provider v0.28.4 ## explicit; go 1.20 k8s.io/cloud-provider k8s.io/cloud-provider/api @@ -1334,7 +1334,7 @@ k8s.io/cloud-provider/service/helpers k8s.io/cloud-provider/volume k8s.io/cloud-provider/volume/errors k8s.io/cloud-provider/volume/helpers -# k8s.io/component-base v0.28.1 => k8s.io/component-base v0.28.1 +# k8s.io/component-base v0.28.4 => k8s.io/component-base v0.28.4 ## explicit; go 1.20 k8s.io/component-base/cli/flag k8s.io/component-base/config @@ -1356,13 +1356,13 @@ k8s.io/component-base/metrics/testutil k8s.io/component-base/tracing k8s.io/component-base/tracing/api/v1 k8s.io/component-base/version -# k8s.io/component-helpers v0.28.1 => k8s.io/component-helpers v0.28.1 +# k8s.io/component-helpers v0.28.4 => k8s.io/component-helpers v0.28.4 ## explicit; go 1.20 k8s.io/component-helpers/node/util k8s.io/component-helpers/scheduling/corev1 k8s.io/component-helpers/scheduling/corev1/nodeaffinity k8s.io/component-helpers/storage/volume -# k8s.io/controller-manager v0.28.1 => k8s.io/controller-manager v0.28.1 +# k8s.io/controller-manager v0.28.4 => k8s.io/controller-manager v0.28.4 ## explicit; go 1.20 k8s.io/controller-manager/config k8s.io/controller-manager/config/v1 @@ -1382,7 +1382,7 @@ k8s.io/klog/v2/internal/clock k8s.io/klog/v2/internal/dbg k8s.io/klog/v2/internal/serialize k8s.io/klog/v2/internal/severity -# k8s.io/kms v0.28.1 +# k8s.io/kms v0.28.4 ## explicit; go 1.20 k8s.io/kms/apis/v1beta1 k8s.io/kms/apis/v2 @@ -1410,15 +1410,15 @@ k8s.io/kube-openapi/pkg/validation/errors k8s.io/kube-openapi/pkg/validation/spec k8s.io/kube-openapi/pkg/validation/strfmt k8s.io/kube-openapi/pkg/validation/strfmt/bson -# k8s.io/kubectl v0.0.0 => k8s.io/kubectl v0.28.1 +# k8s.io/kubectl v0.0.0 => k8s.io/kubectl v0.28.4 ## explicit; go 1.20 k8s.io/kubectl/pkg/scale k8s.io/kubectl/pkg/util/podutils -# k8s.io/kubelet v0.28.1 => k8s.io/kubelet v0.28.1 +# k8s.io/kubelet v0.28.4 => k8s.io/kubelet v0.28.4 ## explicit; go 1.20 k8s.io/kubelet/pkg/apis k8s.io/kubelet/pkg/apis/stats/v1alpha1 -# k8s.io/kubernetes v1.28.1 +# k8s.io/kubernetes v1.28.4 ## explicit; go 1.20 k8s.io/kubernetes/pkg/api/legacyscheme k8s.io/kubernetes/pkg/api/service @@ -1484,10 +1484,10 @@ k8s.io/kubernetes/test/utils k8s.io/kubernetes/test/utils/format k8s.io/kubernetes/test/utils/image k8s.io/kubernetes/test/utils/kubeconfig -# k8s.io/mount-utils v0.28.1 => k8s.io/mount-utils v0.28.1 +# k8s.io/mount-utils v0.28.4 => k8s.io/mount-utils v0.28.4 ## explicit; go 1.20 k8s.io/mount-utils -# k8s.io/pod-security-admission v0.28.1 => k8s.io/pod-security-admission v0.28.1 +# k8s.io/pod-security-admission v0.28.4 => k8s.io/pod-security-admission v0.28.4 ## explicit; go 1.20 k8s.io/pod-security-admission/api k8s.io/pod-security-admission/policy @@ -1586,30 +1586,30 @@ sigs.k8s.io/structured-merge-diff/v4/value sigs.k8s.io/yaml # github.com/niemeyer/pretty => github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e # go.etcd.io/etcd => go.etcd.io/etcd v0.0.0-20200410171415-59f5fb25a533 -# k8s.io/api => k8s.io/api v0.28.1 -# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.28.1 -# k8s.io/apimachinery => k8s.io/apimachinery v0.28.1 -# k8s.io/apiserver => k8s.io/apiserver v0.28.1 -# k8s.io/cli-runtime => k8s.io/cli-runtime v0.28.1 -# k8s.io/client-go => k8s.io/client-go v0.28.1 -# k8s.io/cloud-provider => k8s.io/cloud-provider v0.28.1 -# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.28.1 -# k8s.io/code-generator => k8s.io/code-generator v0.28.1 -# k8s.io/component-base => k8s.io/component-base v0.28.1 -# k8s.io/component-helpers => k8s.io/component-helpers v0.28.1 -# k8s.io/controller-manager => k8s.io/controller-manager v0.28.1 -# k8s.io/cri-api => k8s.io/cri-api v0.28.1 -# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.28.1 -# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.28.1 -# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.28.1 -# k8s.io/kube-proxy => k8s.io/kube-proxy v0.28.1 -# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.28.1 -# k8s.io/kubectl => k8s.io/kubectl v0.28.1 -# k8s.io/kubelet => k8s.io/kubelet v0.28.1 -# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.28.1 -# k8s.io/metrics => k8s.io/metrics v0.28.1 -# k8s.io/mount-utils => k8s.io/mount-utils v0.28.1 -# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.28.1 -# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.28.1 -# k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.28.1 -# k8s.io/sample-controller => k8s.io/sample-controller v0.28.1 +# k8s.io/api => k8s.io/api v0.28.4 +# k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.28.4 +# k8s.io/apimachinery => k8s.io/apimachinery v0.28.4 +# k8s.io/apiserver => k8s.io/apiserver v0.28.4 +# k8s.io/cli-runtime => k8s.io/cli-runtime v0.28.4 +# k8s.io/client-go => k8s.io/client-go v0.28.4 +# k8s.io/cloud-provider => k8s.io/cloud-provider v0.28.4 +# k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.28.4 +# k8s.io/code-generator => k8s.io/code-generator v0.28.4 +# k8s.io/component-base => k8s.io/component-base v0.28.4 +# k8s.io/component-helpers => k8s.io/component-helpers v0.28.4 +# k8s.io/controller-manager => k8s.io/controller-manager v0.28.4 +# k8s.io/cri-api => k8s.io/cri-api v0.28.4 +# k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.28.4 +# k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.28.4 +# k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.28.4 +# k8s.io/kube-proxy => k8s.io/kube-proxy v0.28.4 +# k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.28.4 +# k8s.io/kubectl => k8s.io/kubectl v0.28.4 +# k8s.io/kubelet => k8s.io/kubelet v0.28.4 +# k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.28.4 +# k8s.io/metrics => k8s.io/metrics v0.28.4 +# k8s.io/mount-utils => k8s.io/mount-utils v0.28.4 +# k8s.io/pod-security-admission => k8s.io/pod-security-admission v0.28.4 +# k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.28.4 +# k8s.io/sample-cli-plugin => k8s.io/sample-cli-plugin v0.28.4 +# k8s.io/sample-controller => k8s.io/sample-controller v0.28.4