diff --git a/go.mod b/go.mod index cba18c5a9..2f2260f1b 100644 --- a/go.mod +++ b/go.mod @@ -14,10 +14,10 @@ require ( k8s.io/api v0.25.4 k8s.io/apimachinery v0.25.4 k8s.io/client-go v0.25.4 - knative.dev/client v0.34.1-0.20230119164202-982711e2e36e + knative.dev/client v0.36.0 knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9 - knative.dev/networking v0.0.0-20230118220600-e9d3a55facee - knative.dev/serving v0.35.1-0.20230123130505-8b28d4103e0c + knative.dev/networking v0.0.0-20230123233838-db2bcbea2560 + knative.dev/serving v0.36.0 ) require ( @@ -116,7 +116,7 @@ require ( k8s.io/klog/v2 v2.80.2-0.20221028030830-9ae4992afb54 // indirect k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 // indirect - knative.dev/eventing v0.35.1-0.20230118083600-9417125b1468 // indirect + knative.dev/eventing v0.36.0 // indirect knative.dev/pkg v0.0.0-20230117181655-247510c00e9d // indirect sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect sigs.k8s.io/kustomize/api v0.12.1 // indirect diff --git a/go.sum b/go.sum index 95438e108..2756bf2ca 100644 --- a/go.sum +++ b/go.sum @@ -1647,18 +1647,18 @@ k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJ k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= knative.dev/caching v0.0.0-20210215030244-1212288570f0/go.mod h1:rAPalJe9Lx3jHffJpackk5WjZYl3j2QvXUgw0GPllxQ= knative.dev/client v0.21.0/go.mod h1:1En9uxMhk62EReWR1d66/d3tnpkot/D3vBRfmuidFNc= -knative.dev/client v0.34.1-0.20230119164202-982711e2e36e h1:Q0uhZnEtx5vxA5yLWDgPdeSbS77kvEhOn6iIITtEtb4= -knative.dev/client v0.34.1-0.20230119164202-982711e2e36e/go.mod h1:z2qSG2eojlcglXZAUo4cKZEHtYXi//DYz3HgCwqmC1E= +knative.dev/client v0.36.0 h1:oYg0MN66PEHU0444jX79cYi856o9Y2Rx+HE92FSJ6zk= +knative.dev/client v0.36.0/go.mod h1:40s6w3umxFvxqvqYgjNLdylP80NVSkUMmSgLQSkJsmw= knative.dev/eventing v0.21.0/go.mod h1:JjbVEOTJJHqo9CTxbTfrMn018hG8fOr3UfBoCJ7KWaA= -knative.dev/eventing v0.35.1-0.20230118083600-9417125b1468 h1:N6Nh3b46f+iAOuu/14P488TMBieF6/tC9NA+83LAxqM= -knative.dev/eventing v0.35.1-0.20230118083600-9417125b1468/go.mod h1:PqYrXKXhZU7rQaS5TQuZDSOd9jPX7AegF8uNNUY4kcU= +knative.dev/eventing v0.36.0 h1:a7kamc2S+LcpNMDX3llnwZm+DqMcYSXgKIgJXdaQQSY= +knative.dev/eventing v0.36.0/go.mod h1:Qka5Z6+LeMoHGL1QAznVdmq5LAu21b4F3rgxc2AMgRg= knative.dev/hack v0.0.0-20210203173706-8368e1f6eacf/go.mod h1:PHt8x8yX5Z9pPquBEfIj0X66f8iWkWfR0S/sarACJrI= knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9 h1:CDa7s9KspEZqPhk7cN68ZypRLuAvSgr+knoOaXSsrHk= knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= knative.dev/networking v0.0.0-20210215030235-088986a1c2a3/go.mod h1:pmAMQjMqQUxpK0UyjE71KljMs6rwDMVIAlvrZsU3I6Y= knative.dev/networking v0.0.0-20210216014426-94bfc013982b/go.mod h1:Crdn87hxdFd3Jj6PIyrjzGnr8OGHX35k5xo9jlOrjjA= -knative.dev/networking v0.0.0-20230118220600-e9d3a55facee h1:8KYvxZFaP/LgOE+zVvcG5SpdEK1b03eETvaCauoeCUs= -knative.dev/networking v0.0.0-20230118220600-e9d3a55facee/go.mod h1:rn1yRurhkxmSFkpqs/YdG7b9DiYj0VlmLFzBdOQjpOo= +knative.dev/networking v0.0.0-20230123233838-db2bcbea2560 h1:iprdS5tKTXtgV9dGryuwJJJTTdl5LusCHOelKdezR3I= +knative.dev/networking v0.0.0-20230123233838-db2bcbea2560/go.mod h1:rn1yRurhkxmSFkpqs/YdG7b9DiYj0VlmLFzBdOQjpOo= knative.dev/pkg v0.0.0-20210212203835-448ae657fb5f/go.mod h1:TJSdebQOWX5N2bszohOYVi0H1QtXbtlYLuMghAFBMhY= knative.dev/pkg v0.0.0-20210215165523-84c98f3c3e7a/go.mod h1:TJSdebQOWX5N2bszohOYVi0H1QtXbtlYLuMghAFBMhY= knative.dev/pkg v0.0.0-20210216013737-584933f8280b/go.mod h1:TJSdebQOWX5N2bszohOYVi0H1QtXbtlYLuMghAFBMhY= @@ -1666,8 +1666,8 @@ knative.dev/pkg v0.0.0-20230117181655-247510c00e9d h1:pjKDcvHoMib8nRp56eISRmMj/p knative.dev/pkg v0.0.0-20230117181655-247510c00e9d/go.mod h1:VO/fcEsq43seuONRQxZyftWHjpMabYzRHDtpSEQ/eoQ= knative.dev/reconciler-test v0.0.0-20210216030508-77f50054d024/go.mod h1:RP/K5xJylB72Go6eAsXYEsQHp4zCCNMNjmsqhvq7wko= knative.dev/serving v0.21.0/go.mod h1:PU9k1Y6YMG27XQldEu5agNkcebvSafUXKXPircQYCsE= -knative.dev/serving v0.35.1-0.20230123130505-8b28d4103e0c h1:c5Mh4zBFll2tHTntV89y49Rd9NCwk8UbwUBI7nuEs5Y= -knative.dev/serving v0.35.1-0.20230123130505-8b28d4103e0c/go.mod h1:WdVK1b42aahKc8WewW5YLPjp46QK4+D8R9lq3PNuRYg= +knative.dev/serving v0.36.0 h1:RSYDjxhzOx5rnlW9tNPcBPyJyNuOcZuYEMdKDR1r04k= +knative.dev/serving v0.36.0/go.mod h1:ueqMvTqzZE0GFfPqSsc+ZjX20Z8XxCuX86+S+TI7B3A= modernc.org/cc v1.0.0/go.mod h1:1Sk4//wdnYJiUIxnW8ddKpaOJCF37yAdqYnkxUpaYxw= modernc.org/golex v1.0.0/go.mod h1:b/QX9oBD/LhixY6NDh+IdGv17hgB+51fET1i2kPSmvk= modernc.org/mathutil v1.0.0/go.mod h1:wU0vUrJsVWBZ4P6e7xtFJEhFSNsfRLJ8H458uRjg03k= diff --git a/vendor/knative.dev/eventing/pkg/apis/sources/v1/apiserver_types.go b/vendor/knative.dev/eventing/pkg/apis/sources/v1/apiserver_types.go index b70516d49..cfe41a956 100644 --- a/vendor/knative.dev/eventing/pkg/apis/sources/v1/apiserver_types.go +++ b/vendor/knative.dev/eventing/pkg/apis/sources/v1/apiserver_types.go @@ -80,6 +80,11 @@ type ApiServerSourceSpec struct { // source. Defaults to default if not set. // +optional ServiceAccountName string `json:"serviceAccountName,omitempty"` + + // NamespaceSelector is a label selector to capture the namespaces that + // should be watched by the source. + // +optional + NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"` } // ApiServerSourceStatus defines the observed state of ApiServerSource @@ -92,6 +97,9 @@ type ApiServerSourceStatus struct { // * SinkURI - the current active sink URI that has been configured for the // Source. duckv1.SourceStatus `json:",inline"` + + // Namespaces show the namespaces currently watched by the ApiServerSource + Namespaces []string `json:"namespaces"` } // APIVersionKind is an APIVersion and Kind tuple. diff --git a/vendor/knative.dev/eventing/pkg/apis/sources/v1/zz_generated.deepcopy.go b/vendor/knative.dev/eventing/pkg/apis/sources/v1/zz_generated.deepcopy.go index fd7b8b717..551322eab 100644 --- a/vendor/knative.dev/eventing/pkg/apis/sources/v1/zz_generated.deepcopy.go +++ b/vendor/knative.dev/eventing/pkg/apis/sources/v1/zz_generated.deepcopy.go @@ -140,6 +140,11 @@ func (in *ApiServerSourceSpec) DeepCopyInto(out *ApiServerSourceSpec) { *out = new(APIVersionKind) **out = **in } + if in.NamespaceSelector != nil { + in, out := &in.NamespaceSelector, &out.NamespaceSelector + *out = new(metav1.LabelSelector) + (*in).DeepCopyInto(*out) + } return } @@ -157,6 +162,11 @@ func (in *ApiServerSourceSpec) DeepCopy() *ApiServerSourceSpec { func (in *ApiServerSourceStatus) DeepCopyInto(out *ApiServerSourceStatus) { *out = *in in.SourceStatus.DeepCopyInto(&out.SourceStatus) + if in.Namespaces != nil { + in, out := &in.Namespaces, &out.Namespaces + *out = make([]string, len(*in)) + copy(*out, *in) + } return } diff --git a/vendor/knative.dev/serving/pkg/apis/config/features.go b/vendor/knative.dev/serving/pkg/apis/config/features.go index 90bad722c..655188ec4 100644 --- a/vendor/knative.dev/serving/pkg/apis/config/features.go +++ b/vendor/knative.dev/serving/pkg/apis/config/features.go @@ -70,6 +70,7 @@ func defaultFeaturesConfig() *Features { PodSpecInitContainers: Disabled, PodSpecDNSPolicy: Disabled, PodSpecDNSConfig: Disabled, + SecurePodDefaults: Disabled, TagHeaderBasedRouting: Disabled, AutoDetectHTTP2: Disabled, } @@ -99,6 +100,7 @@ func NewFeaturesConfigFromMap(data map[string]string) (*Features, error) { asFlag("kubernetes.podspec-persistent-volume-write", &nc.PodSpecPersistentVolumeWrite), asFlag("kubernetes.podspec-dnspolicy", &nc.PodSpecDNSPolicy), asFlag("kubernetes.podspec-dnsconfig", &nc.PodSpecDNSConfig), + asFlag("secure-pod-defaults", &nc.SecurePodDefaults), asFlag("tag-header-based-routing", &nc.TagHeaderBasedRouting), asFlag("queueproxy.mount-podinfo", &nc.QueueProxyMountPodInfo), asFlag("autodetect-http2", &nc.AutoDetectHTTP2)); err != nil { @@ -134,6 +136,7 @@ type Features struct { QueueProxyMountPodInfo Flag PodSpecDNSPolicy Flag PodSpecDNSConfig Flag + SecurePodDefaults Flag TagHeaderBasedRouting Flag AutoDetectHTTP2 Flag } diff --git a/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go b/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go index ab8724b49..cc59b95f3 100644 --- a/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go +++ b/vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go @@ -208,6 +208,9 @@ func PodSpecMask(ctx context.Context, in *corev1.PodSpec) *corev1.PodSpec { } if cfg.Features.PodSpecSecurityContext != config.Disabled { out.SecurityContext = in.SecurityContext + } else if cfg.Features.SecurePodDefaults != config.Disabled { + // This is further validated in ValidatePodSecurityContext. + out.SecurityContext = in.SecurityContext } if cfg.Features.PodSpecPriorityClassName != config.Disabled { out.PriorityClassName = in.PriorityClassName @@ -591,6 +594,19 @@ func PodSecurityContextMask(ctx context.Context, in *corev1.PodSecurityContext) out := new(corev1.PodSecurityContext) + if config.FromContextOrDefaults(ctx).Features.SecurePodDefaults == config.Enabled { + // Allow to opt out of more-secure defaults if SecurePodDefaults is enabled. + // This aligns with defaultSecurityContext in revision_defaults.go. + if in.SeccompProfile != nil { + seccomp := in.SeccompProfile.Type + if seccomp == corev1.SeccompProfileTypeRuntimeDefault || seccomp == corev1.SeccompProfileTypeUnconfined { + out.SeccompProfile = &corev1.SeccompProfile{ + Type: seccomp, + } + } + } + } + if config.FromContextOrDefaults(ctx).Features.PodSpecSecurityContext == config.Disabled { return out } diff --git a/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_defaults.go b/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_defaults.go index 354b12d89..8acbf3446 100644 --- a/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_defaults.go +++ b/vendor/knative.dev/serving/pkg/apis/serving/v1/revision_defaults.go @@ -72,6 +72,10 @@ func (rs *RevisionSpec) SetDefaults(ctx context.Context) { applyDefaultContainerNames(rs.PodSpec.InitContainers, containerNames, defaultInitContainerName) for idx := range rs.PodSpec.Containers { rs.applyDefault(ctx, &rs.PodSpec.Containers[idx], cfg) + rs.defaultSecurityContext(rs.PodSpec.SecurityContext, &rs.PodSpec.Containers[idx], cfg) + } + for idx := range rs.PodSpec.InitContainers { + rs.defaultSecurityContext(rs.PodSpec.SecurityContext, &rs.PodSpec.InitContainers[idx], cfg) } } @@ -158,6 +162,57 @@ func (*RevisionSpec) applyProbes(container *corev1.Container) { } } +// Upgrade SecurityContext for this container and the Pod definition to use settings +// for the `restricted` profile when the feature flag is enabled. +// This does not currently set `runAsNonRoot` for the restricted profile, because +// that feels harder to default safely. +func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, container *corev1.Container, cfg *config.Config) { + if cfg.Features.SecurePodDefaults != config.Enabled { + return + } + + if psc == nil { + psc = &corev1.PodSecurityContext{} + } + + updatedSC := container.SecurityContext + + if updatedSC == nil { + updatedSC = &corev1.SecurityContext{} + } + + if updatedSC.AllowPrivilegeEscalation == nil { + updatedSC.AllowPrivilegeEscalation = ptr.Bool(false) + } + if psc.SeccompProfile == nil || psc.SeccompProfile.Type == "" { + if updatedSC.SeccompProfile == nil { + updatedSC.SeccompProfile = &corev1.SeccompProfile{} + } + if updatedSC.SeccompProfile.Type == "" { + updatedSC.SeccompProfile.Type = corev1.SeccompProfileTypeRuntimeDefault + } + } + if updatedSC.Capabilities == nil { + updatedSC.Capabilities = &corev1.Capabilities{} + updatedSC.Capabilities.Drop = []corev1.Capability{"ALL"} + // Default in NET_BIND_SERVICE to allow binding to low-numbered ports. + needsLowPort := false + for _, p := range container.Ports { + if p.ContainerPort < 1024 { + needsLowPort = true + break + } + } + if updatedSC.Capabilities.Add == nil && needsLowPort { + updatedSC.Capabilities.Add = []corev1.Capability{"NET_BIND_SERVICE"} + } + } + + if *updatedSC != (corev1.SecurityContext{}) { + container.SecurityContext = updatedSC + } +} + func applyDefaultContainerNames(containers []corev1.Container, containerNames sets.String, defaultContainerName string) { // Default container name based on ContainerNameFromTemplate value from configmap. // In multi-container or init-container mode, add a numeric suffix, avoiding clashes with user-supplied names. diff --git a/vendor/modules.txt b/vendor/modules.txt index 053c5c3aa..3d59256d5 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -859,7 +859,7 @@ k8s.io/utils/net k8s.io/utils/pointer k8s.io/utils/strings/slices k8s.io/utils/trace -# knative.dev/client v0.34.1-0.20230119164202-982711e2e36e +# knative.dev/client v0.36.0 ## explicit; go 1.18 knative.dev/client/lib/test knative.dev/client/pkg/apis/client @@ -885,7 +885,7 @@ knative.dev/client/pkg/sources/v1beta2 knative.dev/client/pkg/util knative.dev/client/pkg/util/mock knative.dev/client/pkg/wait -# knative.dev/eventing v0.35.1-0.20230118083600-9417125b1468 +# knative.dev/eventing v0.36.0 ## explicit; go 1.18 knative.dev/eventing/pkg/apis/config knative.dev/eventing/pkg/apis/duck @@ -913,7 +913,7 @@ knative.dev/eventing/pkg/client/clientset/versioned/typed/sources/v1beta2 # knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9 ## explicit; go 1.18 knative.dev/hack -# knative.dev/networking v0.0.0-20230118220600-e9d3a55facee +# knative.dev/networking v0.0.0-20230123233838-db2bcbea2560 ## explicit; go 1.18 knative.dev/networking/pkg knative.dev/networking/pkg/apis/networking @@ -972,7 +972,7 @@ knative.dev/pkg/tracing/config knative.dev/pkg/tracing/propagation knative.dev/pkg/tracing/propagation/tracecontextb3 knative.dev/pkg/tracker -# knative.dev/serving v0.35.1-0.20230123130505-8b28d4103e0c +# knative.dev/serving v0.36.0 ## explicit; go 1.18 knative.dev/serving/pkg/apis/autoscaling knative.dev/serving/pkg/apis/autoscaling/v1alpha1