diff --git a/go.mod b/go.mod index 5b8ab7e875115..2a894a418b31b 100644 --- a/go.mod +++ b/go.mod @@ -237,6 +237,7 @@ require ( replace ( github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20250416174521-4eb003743b54 + github.com/openshift/apiserver-library-go => github.com/jubittajohn/apiserver-library-go v0.0.0-20250908142805-62f78f3f6aa6 k8s.io/api => ./staging/src/k8s.io/api k8s.io/apiextensions-apiserver => ./staging/src/k8s.io/apiextensions-apiserver k8s.io/apimachinery => ./staging/src/k8s.io/apimachinery diff --git a/go.sum b/go.sum index 37e7ce64af66e..10719fceb53f5 100644 --- a/go.sum +++ b/go.sum @@ -351,6 +351,8 @@ github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFF github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= +github.com/jubittajohn/apiserver-library-go v0.0.0-20250908142805-62f78f3f6aa6 h1:S4m55GKAce55gYwXAFXr3vpoT1LYHPk4jG7ZzVELeCQ= +github.com/jubittajohn/apiserver-library-go v0.0.0-20250908142805-62f78f3f6aa6/go.mod h1:8aHgQmkn0RbvMth8icv+itFvH+vF94VHBTjIUuPmkCU= github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= github.com/karrick/godirwalk v1.17.0 h1:b4kY7nqDdioR/6qnbHQyDvmA17u5G1cZ6J+CZXwSWoI= github.com/karrick/godirwalk v1.17.0/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= @@ -430,8 +432,6 @@ github.com/openshift-eng/openshift-tests-extension v0.0.0-20250711173707-dc2a20e github.com/openshift-eng/openshift-tests-extension v0.0.0-20250711173707-dc2a20e5a5f8/go.mod h1:6gkP5f2HL0meusT0Aim8icAspcD1cG055xxBZ9yC68M= github.com/openshift/api v0.0.0-20250710004639-926605d3338b h1:A8OY6adT2aZNp7tsGsilHuQ3RqhzrFx5dzGr/UwXfJg= github.com/openshift/api v0.0.0-20250710004639-926605d3338b/go.mod h1:SPLf21TYPipzCO67BURkCfK6dcIIxx0oNRVWaOyRcXM= -github.com/openshift/apiserver-library-go v0.0.0-20250710132015-f0d44ef6e53b h1:rIfs2f1zo9GLyxk6tak2bHzX01VTz6Xheay2NECfZpg= -github.com/openshift/apiserver-library-go v0.0.0-20250710132015-f0d44ef6e53b/go.mod h1:8aHgQmkn0RbvMth8icv+itFvH+vF94VHBTjIUuPmkCU= github.com/openshift/build-machinery-go v0.0.0-20250530140348-dc5b2804eeee/go.mod h1:8jcm8UPtg2mCAsxfqKil1xrmRMI3a+XU2TZ9fF8A7TE= github.com/openshift/client-go v0.0.0-20250710075018-396b36f983ee h1:tOtrrxfDEW8hK3eEsHqxsXurq/D6LcINGfprkQC3hqY= github.com/openshift/client-go v0.0.0-20250710075018-396b36f983ee/go.mod h1:zhRiYyNMk89llof2qEuGPWPD+joQPhCRUc2IK0SB510= diff --git a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go index 4a67b043c50d6..e3d2b4d18e027 100644 --- a/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go +++ b/vendor/github.com/openshift/apiserver-library-go/pkg/securitycontextconstraints/sysctl/mustmatchpatterns.go @@ -18,29 +18,84 @@ package sysctl import ( "fmt" + "slices" "strings" "k8s.io/apimachinery/pkg/util/validation/field" + "k8s.io/apimachinery/pkg/util/version" + "k8s.io/klog/v2" api "k8s.io/kubernetes/pkg/apis/core" + utilkernel "k8s.io/kubernetes/pkg/util/kernel" ) +type sysctl struct { + // the name of sysctl + name string + // the minimum kernel version where the sysctl is available + kernel string +} + +// Legacy safe sysctls that were always allowed in previous releases. +// These must always be returned to avoid regressions: pods that depended on these +// sysctls should continue to work as before, regardless of kernel version detection. +var legacySafeSysctls = []string{ + "kernel.shm_rmid_forced", + "net.ipv4.ip_local_port_range", + "net.ipv4.tcp_syncookies", + "net.ipv4.ping_group_range", + "net.ipv4.ip_unprivileged_port_start", + "net.ipv4.tcp_keepalive_time", + "net.ipv4.tcp_fin_timeout", + "net.ipv4.tcp_keepalive_intvl", + "net.ipv4.tcp_keepalive_probes", +} + +// Newer sysctls that are safe only if the kernel version is new enough. +// We gate these to avoid exposing unsupported sysctls on older kernels. +var newerSysctls = []sysctl{ + { + name: "net.ipv4.ip_local_reserved_ports", + kernel: "3.16", + }, { + name: "net.ipv4.tcp_rmem", + kernel: "4.15", + }, { + name: "net.ipv4.tcp_wmem", + kernel: "4.15", + }, +} + // SafeSysctlAllowlist returns the allowlist of safe sysctls and safe sysctl patterns (ending in *). // // A sysctl is called safe iff // - it is namespaced in the container or the pod // - it is isolated, i.e. has no influence on any other pod on the same node. func SafeSysctlAllowlist() []string { - return []string{ - "kernel.shm_rmid_forced", - "net.ipv4.ip_local_port_range", - "net.ipv4.tcp_syncookies", - "net.ipv4.ping_group_range", - "net.ipv4.ip_unprivileged_port_start", - "net.ipv4.tcp_keepalive_time", - "net.ipv4.tcp_fin_timeout", - "net.ipv4.tcp_keepalive_intvl", - "net.ipv4.tcp_keepalive_probes", + return getSafeSysctlAllowlist(utilkernel.GetVersion) +} + +// getSafeSysctlAllowlist returns the list of safe sysctls that can be used. +// To prevent regressions: +// 1. Always return the legacy list (known safe sysctls from previous releases). +// 2. Conditionally add newer sysctls only if the detected kernel version +// is at least as new as required. +func getSafeSysctlAllowlist(getVersion func() (*version.Version, error)) []string { + safeSysctlAllowlist := slices.Clone(legacySafeSysctls) + + kernelVersion, err := getVersion() + if err != nil { + klog.Error(err, "failed to get kernel version, falling back to legacy safe sysctl list") + return safeSysctlAllowlist + } + + for _, sc := range newerSysctls { + if kernelVersion.AtLeast(version.MustParseGeneric(sc.kernel)) { + safeSysctlAllowlist = append(safeSysctlAllowlist, sc.name) + } else { + klog.Info("kernel version is too old, dropping the sysctl from safe sysctl list", "kernelVersion", kernelVersion, "sysctl", sc.name) + } } + return safeSysctlAllowlist } // mustMatchPatterns implements the SysctlsStrategy interface diff --git a/vendor/modules.txt b/vendor/modules.txt index bbfbbb77ebd5d..1e49d20f8dfe3 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -545,7 +545,7 @@ github.com/openshift/api/security github.com/openshift/api/security/v1 github.com/openshift/api/template/v1 github.com/openshift/api/user/v1 -# github.com/openshift/apiserver-library-go v0.0.0-20250710132015-f0d44ef6e53b +# github.com/openshift/apiserver-library-go v0.0.0-20250710132015-f0d44ef6e53b => github.com/jubittajohn/apiserver-library-go v0.0.0-20250908142805-62f78f3f6aa6 ## explicit; go 1.24.0 github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy github.com/openshift/apiserver-library-go/pkg/admission/imagepolicy/apis/imagepolicy/v1 @@ -1565,3 +1565,4 @@ sigs.k8s.io/yaml sigs.k8s.io/yaml/goyaml.v2 sigs.k8s.io/yaml/goyaml.v3 # github.com/onsi/ginkgo/v2 => github.com/openshift/onsi-ginkgo/v2 v2.6.1-0.20250416174521-4eb003743b54 +# github.com/openshift/apiserver-library-go => github.com/jubittajohn/apiserver-library-go v0.0.0-20250908142805-62f78f3f6aa6