summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--recipes-containers/kubernetes/kubernetes/CVE-2023-2431.patch863
-rw-r--r--recipes-containers/kubernetes/kubernetes_git.bb1
2 files changed, 864 insertions, 0 deletions
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2023-2431.patch b/recipes-containers/kubernetes/kubernetes/CVE-2023-2431.patch
new file mode 100644
index 00000000..56c3a6e1
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2023-2431.patch
@@ -0,0 +1,863 @@
1From 73174f870735251e7d4240cdc36983d1bef7db5f Mon Sep 17 00:00:00 2001
2From: Craig Ingram <cjingram@google.com>
3Date: Fri, 24 Feb 2023 15:24:49 -0500
4Subject: [PATCH] Return error for localhost seccomp type with no localhost
5 profile defined
6
7CVE: CVE-2023-2431
8
9Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/73174f870735251e7d4240cdc36983d1bef7db5f]
10
11Signed-off-by: Soumya Sambu <soumya.sambu@windriver.com>
12---
13 pkg/kubelet/kuberuntime/helpers.go | 66 ++--
14 pkg/kubelet/kuberuntime/helpers_test.go | 350 ++++--------------
15 .../kuberuntime_container_linux.go | 16 +-
16 .../kuberuntime_container_linux_test.go | 22 +-
17 pkg/kubelet/kuberuntime/security_context.go | 15 +-
18 5 files changed, 153 insertions(+), 316 deletions(-)
19
20diff --git a/pkg/kubelet/kuberuntime/helpers.go b/pkg/kubelet/kuberuntime/helpers.go
21index fa580335cf8..b36e01166f8 100644
22--- a/pkg/kubelet/kuberuntime/helpers.go
23+++ b/pkg/kubelet/kuberuntime/helpers.go
24@@ -209,28 +209,32 @@ func toKubeRuntimeStatus(status *runtimeapi.RuntimeStatus) *kubecontainer.Runtim
25 return &kubecontainer.RuntimeStatus{Conditions: conditions}
26 }
27
28-func fieldProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) string {
29+func fieldProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) (string, error) {
30 if scmp == nil {
31 if fallbackToRuntimeDefault {
32- return v1.SeccompProfileRuntimeDefault
33+ return v1.SeccompProfileRuntimeDefault, nil
34 }
35- return ""
36+ return "", nil
37 }
38 if scmp.Type == v1.SeccompProfileTypeRuntimeDefault {
39- return v1.SeccompProfileRuntimeDefault
40- }
41- if scmp.Type == v1.SeccompProfileTypeLocalhost && scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
42- fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
43- return v1.SeccompLocalhostProfileNamePrefix + fname
44+ return v1.SeccompProfileRuntimeDefault, nil
45+ }
46+ if scmp.Type == v1.SeccompProfileTypeLocalhost {
47+ if scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
48+ fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
49+ return v1.SeccompLocalhostProfileNamePrefix + fname, nil
50+ } else {
51+ return "", fmt.Errorf("localhostProfile must be set if seccompProfile type is Localhost.")
52+ }
53 }
54 if scmp.Type == v1.SeccompProfileTypeUnconfined {
55- return v1.SeccompProfileNameUnconfined
56+ return v1.SeccompProfileNameUnconfined, nil
57 }
58
59 if fallbackToRuntimeDefault {
60- return v1.SeccompProfileRuntimeDefault
61+ return v1.SeccompProfileRuntimeDefault, nil
62 }
63- return ""
64+ return "", nil
65 }
66
67 func annotationProfile(profile, profileRootPath string) string {
68@@ -243,7 +247,7 @@ func annotationProfile(profile, profileRootPath string) string {
69 }
70
71 func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string]string, containerName string,
72- podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) string {
73+ podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) (string, error) {
74 // container fields are applied first
75 if containerSecContext != nil && containerSecContext.SeccompProfile != nil {
76 return fieldProfile(containerSecContext.SeccompProfile, m.seccompProfileRoot, fallbackToRuntimeDefault)
77@@ -252,7 +256,7 @@ func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string
78 // if container field does not exist, try container annotation (deprecated)
79 if containerName != "" {
80 if profile, ok := annotations[v1.SeccompContainerAnnotationKeyPrefix+containerName]; ok {
81- return annotationProfile(profile, m.seccompProfileRoot)
82+ return annotationProfile(profile, m.seccompProfileRoot), nil
83 }
84 }
85
86@@ -263,46 +267,50 @@ func (m *kubeGenericRuntimeManager) getSeccompProfilePath(annotations map[string
87
88 // as last resort, try to apply pod annotation (deprecated)
89 if profile, ok := annotations[v1.SeccompPodAnnotationKey]; ok {
90- return annotationProfile(profile, m.seccompProfileRoot)
91+ return annotationProfile(profile, m.seccompProfileRoot), nil
92 }
93
94 if fallbackToRuntimeDefault {
95- return v1.SeccompProfileRuntimeDefault
96+ return v1.SeccompProfileRuntimeDefault, nil
97 }
98
99- return ""
100+ return "", nil
101 }
102
103-func fieldSeccompProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) *runtimeapi.SecurityProfile {
104+func fieldSeccompProfile(scmp *v1.SeccompProfile, profileRootPath string, fallbackToRuntimeDefault bool) (*runtimeapi.SecurityProfile, error) {
105 if scmp == nil {
106 if fallbackToRuntimeDefault {
107 return &runtimeapi.SecurityProfile{
108 ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
109- }
110+ }, nil
111 }
112 return &runtimeapi.SecurityProfile{
113 ProfileType: runtimeapi.SecurityProfile_Unconfined,
114- }
115+ }, nil
116 }
117 if scmp.Type == v1.SeccompProfileTypeRuntimeDefault {
118 return &runtimeapi.SecurityProfile{
119 ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
120- }
121+ }, nil
122 }
123- if scmp.Type == v1.SeccompProfileTypeLocalhost && scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
124- fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
125- return &runtimeapi.SecurityProfile{
126- ProfileType: runtimeapi.SecurityProfile_Localhost,
127- LocalhostRef: fname,
128+ if scmp.Type == v1.SeccompProfileTypeLocalhost {
129+ if scmp.LocalhostProfile != nil && len(*scmp.LocalhostProfile) > 0 {
130+ fname := filepath.Join(profileRootPath, *scmp.LocalhostProfile)
131+ return &runtimeapi.SecurityProfile{
132+ ProfileType: runtimeapi.SecurityProfile_Localhost,
133+ LocalhostRef: fname,
134+ }, nil
135+ } else {
136+ return nil, fmt.Errorf("localhostProfile must be set if seccompProfile type is Localhost.")
137 }
138 }
139 return &runtimeapi.SecurityProfile{
140 ProfileType: runtimeapi.SecurityProfile_Unconfined,
141- }
142+ }, nil
143 }
144
145 func (m *kubeGenericRuntimeManager) getSeccompProfile(annotations map[string]string, containerName string,
146- podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) *runtimeapi.SecurityProfile {
147+ podSecContext *v1.PodSecurityContext, containerSecContext *v1.SecurityContext, fallbackToRuntimeDefault bool) (*runtimeapi.SecurityProfile, error) {
148 // container fields are applied first
149 if containerSecContext != nil && containerSecContext.SeccompProfile != nil {
150 return fieldSeccompProfile(containerSecContext.SeccompProfile, m.seccompProfileRoot, fallbackToRuntimeDefault)
151@@ -316,12 +324,12 @@ func (m *kubeGenericRuntimeManager) getSeccompProfile(annotations map[string]str
152 if fallbackToRuntimeDefault {
153 return &runtimeapi.SecurityProfile{
154 ProfileType: runtimeapi.SecurityProfile_RuntimeDefault,
155- }
156+ }, nil
157 }
158
159 return &runtimeapi.SecurityProfile{
160 ProfileType: runtimeapi.SecurityProfile_Unconfined,
161- }
162+ }, nil
163 }
164
165 func ipcNamespaceForPod(pod *v1.Pod) runtimeapi.NamespaceMode {
166diff --git a/pkg/kubelet/kuberuntime/helpers_test.go b/pkg/kubelet/kuberuntime/helpers_test.go
167index 25065f30411..70ad7250ce2 100644
168--- a/pkg/kubelet/kuberuntime/helpers_test.go
169+++ b/pkg/kubelet/kuberuntime/helpers_test.go
170@@ -242,17 +242,18 @@ func TestFieldProfile(t *testing.T) {
171 scmpProfile *v1.SeccompProfile
172 rootPath string
173 expectedProfile string
174+ expectedError string
175 }{
176 {
177 description: "no seccompProfile should return empty",
178 expectedProfile: "",
179 },
180 {
181- description: "type localhost without profile should return empty",
182+ description: "type localhost without profile should return error",
183 scmpProfile: &v1.SeccompProfile{
184 Type: v1.SeccompProfileTypeLocalhost,
185 },
186- expectedProfile: "",
187+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
188 },
189 {
190 description: "unknown type should return empty",
191@@ -279,7 +280,7 @@ func TestFieldProfile(t *testing.T) {
192 description: "SeccompProfileTypeLocalhost should return localhost",
193 scmpProfile: &v1.SeccompProfile{
194 Type: v1.SeccompProfileTypeLocalhost,
195- LocalhostProfile: utilpointer.StringPtr("profile.json"),
196+ LocalhostProfile: utilpointer.String("profile.json"),
197 },
198 rootPath: "/test/",
199 expectedProfile: "localhost//test/profile.json",
200@@ -287,8 +288,13 @@ func TestFieldProfile(t *testing.T) {
201 }
202
203 for i, test := range tests {
204- seccompProfile := fieldProfile(test.scmpProfile, test.rootPath, false)
205- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
206+ seccompProfile, err := fieldProfile(test.scmpProfile, test.rootPath, false)
207+ if test.expectedError != "" {
208+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
209+ } else {
210+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
211+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
212+ }
213 }
214 }
215
216@@ -298,17 +304,18 @@ func TestFieldProfileDefaultSeccomp(t *testing.T) {
217 scmpProfile *v1.SeccompProfile
218 rootPath string
219 expectedProfile string
220+ expectedError string
221 }{
222 {
223 description: "no seccompProfile should return runtime/default",
224 expectedProfile: v1.SeccompProfileRuntimeDefault,
225 },
226 {
227- description: "type localhost without profile should return runtime/default",
228+ description: "type localhost without profile should return error",
229 scmpProfile: &v1.SeccompProfile{
230 Type: v1.SeccompProfileTypeLocalhost,
231 },
232- expectedProfile: v1.SeccompProfileRuntimeDefault,
233+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
234 },
235 {
236 description: "unknown type should return runtime/default",
237@@ -335,7 +342,7 @@ func TestFieldProfileDefaultSeccomp(t *testing.T) {
238 description: "SeccompProfileTypeLocalhost should return localhost",
239 scmpProfile: &v1.SeccompProfile{
240 Type: v1.SeccompProfileTypeLocalhost,
241- LocalhostProfile: utilpointer.StringPtr("profile.json"),
242+ LocalhostProfile: utilpointer.String("profile.json"),
243 },
244 rootPath: "/test/",
245 expectedProfile: "localhost//test/profile.json",
246@@ -343,8 +350,13 @@ func TestFieldProfileDefaultSeccomp(t *testing.T) {
247 }
248
249 for i, test := range tests {
250- seccompProfile := fieldProfile(test.scmpProfile, test.rootPath, true)
251- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
252+ seccompProfile, err := fieldProfile(test.scmpProfile, test.rootPath, true)
253+ if test.expectedError != "" {
254+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
255+ } else {
256+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
257+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
258+ }
259 }
260 }
261
262@@ -359,6 +371,7 @@ func TestGetSeccompProfilePath(t *testing.T) {
263 containerSc *v1.SecurityContext
264 containerName string
265 expectedProfile string
266+ expectedError string
267 }{
268 {
269 description: "no seccomp should return empty",
270@@ -369,91 +382,6 @@ func TestGetSeccompProfilePath(t *testing.T) {
271 containerName: "container1",
272 expectedProfile: "",
273 },
274- {
275- description: "annotations: pod runtime/default seccomp profile should return runtime/default",
276- annotation: map[string]string{
277- v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
278- },
279- expectedProfile: "runtime/default",
280- },
281- {
282- description: "annotations: pod docker/default seccomp profile should return docker/default",
283- annotation: map[string]string{
284- v1.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
285- },
286- expectedProfile: "docker/default",
287- },
288- {
289- description: "annotations: pod runtime/default seccomp profile with containerName should return runtime/default",
290- annotation: map[string]string{
291- v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
292- },
293- containerName: "container1",
294- expectedProfile: "runtime/default",
295- },
296- {
297- description: "annotations: pod docker/default seccomp profile with containerName should return docker/default",
298- annotation: map[string]string{
299- v1.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
300- },
301- containerName: "container1",
302- expectedProfile: "docker/default",
303- },
304- {
305- description: "annotations: pod unconfined seccomp profile should return unconfined",
306- annotation: map[string]string{
307- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
308- },
309- expectedProfile: "unconfined",
310- },
311- {
312- description: "annotations: pod unconfined seccomp profile with containerName should return unconfined",
313- annotation: map[string]string{
314- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
315- },
316- containerName: "container1",
317- expectedProfile: "unconfined",
318- },
319- {
320- description: "annotations: pod localhost seccomp profile should return local profile path",
321- annotation: map[string]string{
322- v1.SeccompPodAnnotationKey: "localhost/chmod.json",
323- },
324- expectedProfile: seccompLocalhostPath("chmod.json"),
325- },
326- {
327- description: "annotations: pod localhost seccomp profile with containerName should return local profile path",
328- annotation: map[string]string{
329- v1.SeccompPodAnnotationKey: "localhost/chmod.json",
330- },
331- containerName: "container1",
332- expectedProfile: seccompLocalhostPath("chmod.json"),
333- },
334- {
335- description: "annotations: container localhost seccomp profile with containerName should return local profile path",
336- annotation: map[string]string{
337- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
338- },
339- containerName: "container1",
340- expectedProfile: seccompLocalhostPath("chmod.json"),
341- },
342- {
343- description: "annotations: container localhost seccomp profile should override pod profile",
344- annotation: map[string]string{
345- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
346- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
347- },
348- containerName: "container1",
349- expectedProfile: seccompLocalhostPath("chmod.json"),
350- },
351- {
352- description: "annotations: container localhost seccomp profile with unmatched containerName should return empty",
353- annotation: map[string]string{
354- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
355- },
356- containerName: "container2",
357- expectedProfile: "",
358- },
359 {
360 description: "pod seccomp profile set to unconfined returns unconfined",
361 podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}},
362@@ -480,14 +408,14 @@ func TestGetSeccompProfilePath(t *testing.T) {
363 expectedProfile: seccompLocalhostPath("filename"),
364 },
365 {
366- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns empty",
367- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
368- expectedProfile: "",
369+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
370+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
371+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
372 },
373 {
374- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns empty",
375- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
376- expectedProfile: "",
377+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
378+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
379+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
380 },
381 {
382 description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
383@@ -500,41 +428,16 @@ func TestGetSeccompProfilePath(t *testing.T) {
384 containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}},
385 expectedProfile: "runtime/default",
386 },
387- {
388- description: "prioritise container field over container annotation, pod field and pod annotation",
389- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
390- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-cont-profile.json")}},
391- annotation: map[string]string{
392- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
393- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
394- },
395- containerName: "container1",
396- expectedProfile: seccompLocalhostPath("field-cont-profile.json"),
397- },
398- {
399- description: "prioritise container annotation over pod field",
400- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
401- annotation: map[string]string{
402- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
403- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
404- },
405- containerName: "container1",
406- expectedProfile: seccompLocalhostPath("annota-cont-profile.json"),
407- },
408- {
409- description: "prioritise pod field over pod annotation",
410- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
411- annotation: map[string]string{
412- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
413- },
414- containerName: "container1",
415- expectedProfile: seccompLocalhostPath("field-pod-profile.json"),
416- },
417 }
418
419 for i, test := range tests {
420- seccompProfile := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, false)
421- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
422+ seccompProfile, err := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, false)
423+ if test.expectedError != "" {
424+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
425+ } else {
426+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
427+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
428+ }
429 }
430 }
431
432@@ -549,6 +452,7 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
433 containerSc *v1.SecurityContext
434 containerName string
435 expectedProfile string
436+ expectedError string
437 }{
438 {
439 description: "no seccomp should return runtime/default",
440@@ -559,91 +463,6 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
441 containerName: "container1",
442 expectedProfile: v1.SeccompProfileRuntimeDefault,
443 },
444- {
445- description: "annotations: pod runtime/default seccomp profile should return runtime/default",
446- annotation: map[string]string{
447- v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
448- },
449- expectedProfile: v1.SeccompProfileRuntimeDefault,
450- },
451- {
452- description: "annotations: pod docker/default seccomp profile should return docker/default",
453- annotation: map[string]string{
454- v1.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
455- },
456- expectedProfile: "docker/default",
457- },
458- {
459- description: "annotations: pod runtime/default seccomp profile with containerName should return runtime/default",
460- annotation: map[string]string{
461- v1.SeccompPodAnnotationKey: v1.SeccompProfileRuntimeDefault,
462- },
463- containerName: "container1",
464- expectedProfile: v1.SeccompProfileRuntimeDefault,
465- },
466- {
467- description: "annotations: pod docker/default seccomp profile with containerName should return docker/default",
468- annotation: map[string]string{
469- v1.SeccompPodAnnotationKey: v1.DeprecatedSeccompProfileDockerDefault,
470- },
471- containerName: "container1",
472- expectedProfile: "docker/default",
473- },
474- {
475- description: "annotations: pod unconfined seccomp profile should return unconfined",
476- annotation: map[string]string{
477- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
478- },
479- expectedProfile: "unconfined",
480- },
481- {
482- description: "annotations: pod unconfined seccomp profile with containerName should return unconfined",
483- annotation: map[string]string{
484- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
485- },
486- containerName: "container1",
487- expectedProfile: "unconfined",
488- },
489- {
490- description: "annotations: pod localhost seccomp profile should return local profile path",
491- annotation: map[string]string{
492- v1.SeccompPodAnnotationKey: "localhost/chmod.json",
493- },
494- expectedProfile: seccompLocalhostPath("chmod.json"),
495- },
496- {
497- description: "annotations: pod localhost seccomp profile with containerName should return local profile path",
498- annotation: map[string]string{
499- v1.SeccompPodAnnotationKey: "localhost/chmod.json",
500- },
501- containerName: "container1",
502- expectedProfile: seccompLocalhostPath("chmod.json"),
503- },
504- {
505- description: "annotations: container localhost seccomp profile with containerName should return local profile path",
506- annotation: map[string]string{
507- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
508- },
509- containerName: "container1",
510- expectedProfile: seccompLocalhostPath("chmod.json"),
511- },
512- {
513- description: "annotations: container localhost seccomp profile should override pod profile",
514- annotation: map[string]string{
515- v1.SeccompPodAnnotationKey: v1.SeccompProfileNameUnconfined,
516- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
517- },
518- containerName: "container1",
519- expectedProfile: seccompLocalhostPath("chmod.json"),
520- },
521- {
522- description: "annotations: container localhost seccomp profile with unmatched containerName should return runtime/default",
523- annotation: map[string]string{
524- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/chmod.json",
525- },
526- containerName: "container2",
527- expectedProfile: v1.SeccompProfileRuntimeDefault,
528- },
529 {
530 description: "pod seccomp profile set to unconfined returns unconfined",
531 podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeUnconfined}},
532@@ -670,14 +489,14 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
533 expectedProfile: seccompLocalhostPath("filename"),
534 },
535 {
536- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns runtime/default",
537- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
538- expectedProfile: v1.SeccompProfileRuntimeDefault,
539+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
540+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
541+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
542 },
543 {
544- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns runtime/default",
545- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
546- expectedProfile: v1.SeccompProfileRuntimeDefault,
547+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
548+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
549+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
550 },
551 {
552 description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
553@@ -690,41 +509,16 @@ func TestGetSeccompProfilePathDefaultSeccomp(t *testing.T) {
554 containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeRuntimeDefault}},
555 expectedProfile: "runtime/default",
556 },
557- {
558- description: "prioritise container field over container annotation, pod field and pod annotation",
559- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
560- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-cont-profile.json")}},
561- annotation: map[string]string{
562- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
563- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
564- },
565- containerName: "container1",
566- expectedProfile: seccompLocalhostPath("field-cont-profile.json"),
567- },
568- {
569- description: "prioritise container annotation over pod field",
570- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
571- annotation: map[string]string{
572- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
573- v1.SeccompContainerAnnotationKeyPrefix + "container1": "localhost/annota-cont-profile.json",
574- },
575- containerName: "container1",
576- expectedProfile: seccompLocalhostPath("annota-cont-profile.json"),
577- },
578- {
579- description: "prioritise pod field over pod annotation",
580- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost, LocalhostProfile: getLocal("field-pod-profile.json")}},
581- annotation: map[string]string{
582- v1.SeccompPodAnnotationKey: "localhost/annota-pod-profile.json",
583- },
584- containerName: "container1",
585- expectedProfile: seccompLocalhostPath("field-pod-profile.json"),
586- },
587 }
588
589 for i, test := range tests {
590- seccompProfile := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, true)
591- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
592+ seccompProfile, err := m.getSeccompProfilePath(test.annotation, test.containerName, test.podSc, test.containerSc, true)
593+ if test.expectedError != "" {
594+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
595+ } else {
596+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
597+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
598+ }
599 }
600 }
601
602@@ -747,6 +541,7 @@ func TestGetSeccompProfile(t *testing.T) {
603 containerSc *v1.SecurityContext
604 containerName string
605 expectedProfile *runtimeapi.SecurityProfile
606+ expectedError string
607 }{
608 {
609 description: "no seccomp should return unconfined",
610@@ -781,14 +576,14 @@ func TestGetSeccompProfile(t *testing.T) {
611 },
612 },
613 {
614- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
615- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
616- expectedProfile: unconfinedProfile,
617+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
618+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
619+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
620 },
621 {
622- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
623- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
624- expectedProfile: unconfinedProfile,
625+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
626+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
627+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
628 },
629 {
630 description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
631@@ -817,8 +612,13 @@ func TestGetSeccompProfile(t *testing.T) {
632 }
633
634 for i, test := range tests {
635- seccompProfile := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, false)
636- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
637+ seccompProfile, err := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, false)
638+ if test.expectedError != "" {
639+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
640+ } else {
641+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
642+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
643+ }
644 }
645 }
646
647@@ -841,6 +641,7 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
648 containerSc *v1.SecurityContext
649 containerName string
650 expectedProfile *runtimeapi.SecurityProfile
651+ expectedError string
652 }{
653 {
654 description: "no seccomp should return RuntimeDefault",
655@@ -875,14 +676,14 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
656 },
657 },
658 {
659- description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
660- podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
661- expectedProfile: unconfinedProfile,
662+ description: "pod seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
663+ podSc: &v1.PodSecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
664+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
665 },
666 {
667- description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns unconfined",
668- containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
669- expectedProfile: unconfinedProfile,
670+ description: "container seccomp profile set to SeccompProfileTypeLocalhost with empty LocalhostProfile returns error",
671+ containerSc: &v1.SecurityContext{SeccompProfile: &v1.SeccompProfile{Type: v1.SeccompProfileTypeLocalhost}},
672+ expectedError: "localhostProfile must be set if seccompProfile type is Localhost.",
673 },
674 {
675 description: "container seccomp profile set to SeccompProfileTypeLocalhost returns 'localhost/' + LocalhostProfile",
676@@ -911,8 +712,13 @@ func TestGetSeccompProfileDefaultSeccomp(t *testing.T) {
677 }
678
679 for i, test := range tests {
680- seccompProfile := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, true)
681- assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
682+ seccompProfile, err := m.getSeccompProfile(test.annotation, test.containerName, test.podSc, test.containerSc, true)
683+ if test.expectedError != "" {
684+ assert.EqualError(t, err, test.expectedError, "TestCase[%d]: %s", i, test.description)
685+ } else {
686+ assert.NoError(t, err, "TestCase[%d]: %s", i, test.description)
687+ assert.Equal(t, test.expectedProfile, seccompProfile, "TestCase[%d]: %s", i, test.description)
688+ }
689 }
690 }
691
692diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go b/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go
693index 6cb9e54729e..54670673bcd 100644
694--- a/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go
695+++ b/pkg/kubelet/kuberuntime/kuberuntime_container_linux.go
696@@ -46,15 +46,23 @@ func (m *kubeGenericRuntimeManager) applyPlatformSpecificContainerConfig(config
697 libcontainercgroups.IsCgroup2UnifiedMode() {
698 enforceMemoryQoS = true
699 }
700- config.Linux = m.generateLinuxContainerConfig(container, pod, uid, username, nsTarget, enforceMemoryQoS)
701+ cl, err := m.generateLinuxContainerConfig(container, pod, uid, username, nsTarget, enforceMemoryQoS)
702+ if err != nil {
703+ return err
704+ }
705+ config.Linux = cl
706 return nil
707 }
708
709 // generateLinuxContainerConfig generates linux container config for kubelet runtime v1.
710-func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string, nsTarget *kubecontainer.ContainerID, enforceMemoryQoS bool) *runtimeapi.LinuxContainerConfig {
711+func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.Container, pod *v1.Pod, uid *int64, username string, nsTarget *kubecontainer.ContainerID, enforceMemoryQoS bool) (*runtimeapi.LinuxContainerConfig, error) {
712+ sc, err := m.determineEffectiveSecurityContext(pod, container, uid, username)
713+ if err != nil {
714+ return nil, err
715+ }
716 lc := &runtimeapi.LinuxContainerConfig{
717 Resources: &runtimeapi.LinuxContainerResources{},
718- SecurityContext: m.determineEffectiveSecurityContext(pod, container, uid, username),
719+ SecurityContext: sc,
720 }
721
722 if nsTarget != nil && lc.SecurityContext.NamespaceOptions.Pid == runtimeapi.NamespaceMode_CONTAINER {
723@@ -125,7 +133,7 @@ func (m *kubeGenericRuntimeManager) generateLinuxContainerConfig(container *v1.C
724 }
725 }
726
727- return lc
728+ return lc, nil
729 }
730
731 // calculateLinuxResources will create the linuxContainerResources type based on the provided CPU and memory resource requests, limits
732diff --git a/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go b/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go
733index 46817e00fb0..98f635cc932 100644
734--- a/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go
735+++ b/pkg/kubelet/kuberuntime/kuberuntime_container_linux_test.go
736@@ -47,6 +47,8 @@ func makeExpectedConfig(m *kubeGenericRuntimeManager, pod *v1.Pod, containerInde
737 restartCountUint32 := uint32(restartCount)
738 envs := make([]*runtimeapi.KeyValue, len(opts.Envs))
739
740+ l, _ := m.generateLinuxContainerConfig(container, pod, new(int64), "", nil, enforceMemoryQoS)
741+
742 expectedConfig := &runtimeapi.ContainerConfig{
743 Metadata: &runtimeapi.ContainerMetadata{
744 Name: container.Name,
745@@ -64,7 +66,7 @@ func makeExpectedConfig(m *kubeGenericRuntimeManager, pod *v1.Pod, containerInde
746 Stdin: container.Stdin,
747 StdinOnce: container.StdinOnce,
748 Tty: container.TTY,
749- Linux: m.generateLinuxContainerConfig(container, pod, new(int64), "", nil, enforceMemoryQoS),
750+ Linux: l,
751 Envs: envs,
752 }
753 return expectedConfig
754@@ -215,7 +217,8 @@ func TestGenerateLinuxContainerConfigResources(t *testing.T) {
755 },
756 }
757
758- linuxConfig := m.generateLinuxContainerConfig(&pod.Spec.Containers[0], pod, new(int64), "", nil, false)
759+ linuxConfig, err := m.generateLinuxContainerConfig(&pod.Spec.Containers[0], pod, new(int64), "", nil, false)
760+ assert.NoError(t, err)
761 assert.Equal(t, test.expected.CpuPeriod, linuxConfig.GetResources().CpuPeriod, test.name)
762 assert.Equal(t, test.expected.CpuQuota, linuxConfig.GetResources().CpuQuota, test.name)
763 assert.Equal(t, test.expected.CpuShares, linuxConfig.GetResources().CpuShares, test.name)
764@@ -329,6 +332,8 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
765 memoryLow int64
766 memoryHigh int64
767 }
768+ l1, _ := m.generateLinuxContainerConfig(&pod1.Spec.Containers[0], pod1, new(int64), "", nil, true)
769+ l2, _ := m.generateLinuxContainerConfig(&pod2.Spec.Containers[0], pod2, new(int64), "", nil, true)
770 tests := []struct {
771 name string
772 pod *v1.Pod
773@@ -338,7 +343,7 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
774 name: "Request128MBLimit256MB",
775 pod: pod1,
776 expected: &expectedResult{
777- m.generateLinuxContainerConfig(&pod1.Spec.Containers[0], pod1, new(int64), "", nil, true),
778+ l1,
779 128 * 1024 * 1024,
780 int64(float64(256*1024*1024) * m.memoryThrottlingFactor),
781 },
782@@ -347,7 +352,7 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
783 name: "Request128MBWithoutLimit",
784 pod: pod2,
785 expected: &expectedResult{
786- m.generateLinuxContainerConfig(&pod2.Spec.Containers[0], pod2, new(int64), "", nil, true),
787+ l2,
788 128 * 1024 * 1024,
789 int64(pod2MemoryHigh),
790 },
791@@ -355,7 +360,8 @@ func TestGenerateContainerConfigWithMemoryQoSEnforced(t *testing.T) {
792 }
793
794 for _, test := range tests {
795- linuxConfig := m.generateLinuxContainerConfig(&test.pod.Spec.Containers[0], test.pod, new(int64), "", nil, true)
796+ linuxConfig, err := m.generateLinuxContainerConfig(&test.pod.Spec.Containers[0], test.pod, new(int64), "", nil, true)
797+ assert.NoError(t, err)
798 assert.Equal(t, test.expected.containerConfig, linuxConfig, test.name)
799 assert.Equal(t, linuxConfig.GetResources().GetUnified()["memory.min"], strconv.FormatInt(test.expected.memoryLow, 10), test.name)
800 assert.Equal(t, linuxConfig.GetResources().GetUnified()["memory.high"], strconv.FormatInt(test.expected.memoryHigh, 10), test.name)
801@@ -578,7 +584,8 @@ func TestGenerateLinuxContainerConfigNamespaces(t *testing.T) {
802 },
803 } {
804 t.Run(tc.name, func(t *testing.T) {
805- got := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", tc.target, false)
806+ got, err := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", tc.target, false)
807+ assert.NoError(t, err)
808 if diff := cmp.Diff(tc.want, got.SecurityContext.NamespaceOptions); diff != "" {
809 t.Errorf("%v: diff (-want +got):\n%v", t.Name(), diff)
810 }
811@@ -669,7 +676,8 @@ func TestGenerateLinuxContainerConfigSwap(t *testing.T) {
812 } {
813 t.Run(tc.name, func(t *testing.T) {
814 m.memorySwapBehavior = tc.swapSetting
815- actual := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", nil, false)
816+ actual, err := m.generateLinuxContainerConfig(&tc.pod.Spec.Containers[0], tc.pod, nil, "", nil, false)
817+ assert.NoError(t, err)
818 assert.Equal(t, tc.expected, actual.Resources.MemorySwapLimitInBytes, "memory swap config for %s", tc.name)
819 })
820 }
821diff --git a/pkg/kubelet/kuberuntime/security_context.go b/pkg/kubelet/kuberuntime/security_context.go
822index c9d33e44305..3b575c8e974 100644
823--- a/pkg/kubelet/kuberuntime/security_context.go
824+++ b/pkg/kubelet/kuberuntime/security_context.go
825@@ -24,7 +24,7 @@ import (
826 )
827
828 // determineEffectiveSecurityContext gets container's security context from v1.Pod and v1.Container.
829-func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) *runtimeapi.LinuxContainerSecurityContext {
830+func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Pod, container *v1.Container, uid *int64, username string) (*runtimeapi.LinuxContainerSecurityContext, error) {
831 effectiveSc := securitycontext.DetermineEffectiveSecurityContext(pod, container)
832 synthesized := convertToRuntimeSecurityContext(effectiveSc)
833 if synthesized == nil {
834@@ -36,9 +36,16 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
835
836 // TODO: Deprecated, remove after we switch to Seccomp field
837 // set SeccompProfilePath.
838- synthesized.SeccompProfilePath = m.getSeccompProfilePath(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
839+ var err error
840+ synthesized.SeccompProfilePath, err = m.getSeccompProfilePath(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
841+ if err != nil {
842+ return nil, err
843+ }
844
845- synthesized.Seccomp = m.getSeccompProfile(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
846+ synthesized.Seccomp, err = m.getSeccompProfile(pod.Annotations, container.Name, pod.Spec.SecurityContext, container.SecurityContext, m.seccompDefault)
847+ if err != nil {
848+ return nil, err
849+ }
850
851 // set ApparmorProfile.
852 synthesized.ApparmorProfile = apparmor.GetProfileNameFromPodAnnotations(pod.Annotations, container.Name)
853@@ -74,7 +81,7 @@ func (m *kubeGenericRuntimeManager) determineEffectiveSecurityContext(pod *v1.Po
854 synthesized.MaskedPaths = securitycontext.ConvertToRuntimeMaskedPaths(effectiveSc.ProcMount)
855 synthesized.ReadonlyPaths = securitycontext.ConvertToRuntimeReadonlyPaths(effectiveSc.ProcMount)
856
857- return synthesized
858+ return synthesized, nil
859 }
860
861 // convertToRuntimeSecurityContext converts v1.SecurityContext to runtimeapi.SecurityContext.
862--
8632.40.0
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index 59892c92..dc741bbf 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -30,6 +30,7 @@ SRC_URI:append = " \
30 file://0001-cross-don-t-build-tests-by-default.patch;patchdir=src/import \ 30 file://0001-cross-don-t-build-tests-by-default.patch;patchdir=src/import \
31 file://0001-build-golang.sh-convert-remaining-go-calls-to-use.patch;patchdir=src/import \ 31 file://0001-build-golang.sh-convert-remaining-go-calls-to-use.patch;patchdir=src/import \
32 file://0001-Makefile.generated_files-Fix-race-issue-for-installi.patch;patchdir=src/import \ 32 file://0001-Makefile.generated_files-Fix-race-issue-for-installi.patch;patchdir=src/import \
33 file://CVE-2023-2431.patch;patchdir=src/import \
33 file://cni-containerd-net.conflist \ 34 file://cni-containerd-net.conflist \
34 file://k8s-init \ 35 file://k8s-init \
35 file://99-kubernetes.conf \ 36 file://99-kubernetes.conf \
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-02-13 11:46:06 +0000