From 8095ca174fd95e92676ef86c59413427afa7b9e4 Mon Sep 17 00:00:00 2001 From: actions Date: Tue, 8 Dec 2020 22:05:22 +0000 Subject: [PATCH] Generated changes --- assets/index.yaml | 29 +++++++++++++++++- .../rancher-externalip-webhook-0.1.400.tgz | Bin 0 -> 7225 bytes charts/rancher-externalip-webhook/Chart.yaml | 5 ++- .../rancher-externalip-webhook/app-README.md | 5 ++- .../rancher-externalip-webhook/questions.yaml | 2 +- .../templates/deployment.yaml | 4 +-- .../templates/service.yaml | 4 +-- .../templates/servicemonitor.yaml | 4 +-- charts/rancher-externalip-webhook/values.yaml | 2 +- index.yaml | 29 +++++++++++++++++- .../rancher-externalip-webhook.sum | 2 +- 11 files changed, 69 insertions(+), 17 deletions(-) create mode 100644 assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.400.tgz diff --git a/assets/index.yaml b/assets/index.yaml index d9edcfb04..70332e104 100644 --- a/assets/index.yaml +++ b/assets/index.yaml @@ -794,6 +794,33 @@ entries: - assets/rancher-cis-benchmark/rancher-cis-benchmark-crd-1.0.100.tgz version: 1.0.100 rancher-externalip-webhook: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: External IP Webhook + catalog.cattle.io/namespace: cattle-externalip-system + catalog.cattle.io/release-name: rancher-externalip-webhook + catalog.cattle.io/ui-component: rancher-externalip-webhook + apiVersion: v1 + appVersion: v0.1.4 + created: "2020-12-08T22:05:21.819947668Z" + description: | + Deploy the externalip-webhook to mitigate k8s CVE-2020-8554 + digest: abc86966d4a49e37ea0a7e90f38bc267a73cb9fc3a9ce96e407bae760eb9af95 + home: https://github.com/rancher/externalip-webhook + keywords: + - cve + - externalip + - webhook + - security + maintainers: + - email: raul@rancher.com + name: rawmind0 + name: rancher-externalip-webhook + sources: + - https://github.com/rancher/externalip-webhook + urls: + - assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.400.tgz + version: 0.1.400 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: External IP Webhook @@ -2245,4 +2272,4 @@ entries: urls: - assets/rio/rio-0.8.000.tgz version: 0.8.000 -generated: "2020-12-08T19:09:47.204545583Z" +generated: "2020-12-08T22:05:21.818659463Z" diff --git a/assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.400.tgz b/assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.400.tgz new file mode 100644 index 0000000000000000000000000000000000000000..903c5d654cccc858bc538fd0043312a4faeda390 GIT binary patch literal 7225 zcmV-99LD1xiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKD3a@#nv==|nW^p$t-jdMfl!?K-W-E7@#;@!yxw_|Q}`eWQWW)JS2#|9@Ai8ApSnkS~26URx7{{XVW0a70m~ld5A7)(#B}wtK<8{5h6Jj1Pk_h$eiv#cyClS2? zF~Kn3AP5RmBFGpC3|CJ%ym)u!_By?e`}Fv@?@XvfW+Ftw{dRjy#3UVh0iCuDi0v8> zukg(^Wg+(+7lIjfT&r8hg{+zj90w^Q;>MXG5(`9P%+yDCiby1>kVgOC^dtLp05aNM zPe~khoTa4ZG-Ux+jjo5oEF-F-X{X~n^qlySN`w5Lp(w?C3kqO~{69KAnUnvgo#Vay z-$gk%fag&}uW^`54k@$)5;E=}{U(#9oTvK9-|z`dqY#D|P{c3_Z-B&H zpeVv2AfW`Wl&nFNa-mce09GA@J_wd#^(2=#t(GG}cr{YpyEWYd;Sdt8T6h8|41wcl z1e}ax972G+fC(Tm3=zjCeTn-N38i-aoW@~<*Y6`uB8oy)nL~&Kf=9ZWCm#SFR3NZ~bg+T#nfcGgo#bhw~*Ch(sLFkfxfDWQxXE zDy<=gB$Xug9Q8~NoqTXkBNE*B@M`piigSiJj)i%3sXF97y#L?;Fq}|M1Z6k53aQfs z00ND3<$7RvgT!N)V!=qj0morNNi3X$%&q`DC4$4iwDEC-NQA?W4F8^DEN45R!6iMgj~0!+JOSsRC>fPeO&R&-XT$Z{)ze|z=QD;!5>3J|hkwsU5dQQG zy57m5V``}-k>utI2e{nzVs`+NIuC*>`b)({!VH7gQzi`EI^AZa9| zal+ErcN_pI_yQ4u>*iL*v(KNwyU+`B?@jg;Zf{|Xg`6@R+z47INo388xu7-Qr6=2L zfd{v@Ps~bxu5q}%{kkU7H(FMj{~sqfN-*P|NH$ptE}8$mlTLO1cRNS>`M;C$`E&a* z%*fOSjs=WJgvCvQpG_rMf(iEFar^exk+qz&Pl;N1n5Bi(uk!CexrrT9&y{MJ#7*jD#4z$dy|hz{!#NlT0tu(TIG4mRmH2<52yrL46@j zc?>A;W0XeG4g8*>Ncl1WC5b}9bN+#K>#DwxeMp2j3~_)`j)BuDwygw(`iS5txYd->*4)|HDFp5WkcH3~^M%T)S<>d=3-I=Qkh$p~U>zAwwptVY5} zEJo1!BX|GETa`-s!oj48Z*C~zuiCMIo^n4h>+_a`20Di%B5K+-rhP!E0tawt(2pXGvhx<9MbFDCjr+aij*fI8&PGTDlr&x{a zVR7LKOMA6&oKxO%0F+zMH{Z$!cr?O+@S*jFUYh>pW4(5k%beDkoOrG3;MRh{&EiPI zP+nhA?rU@wx1^2kkA|`znK8Rt_N2%rjW*T2T06alo!hPTzAVj(RwJuFp!{D+|D$k9 zxLlJOdTPhq%8ub>`+q0>s{ZeHdPjTxzl&n~8|sJo>ZzK1v+fWJ)OD^%9QyDMMI=Om z#ACBGenI0A8K;G}424J_zdGk^f3RmcgYyOc?X3e)*_4Em=Trhi;@@x}+yJ>FMyE=& z*DgKU%Vd6`Z>8KXxkN2F4!LjeEtz62&@}NOPNOK_CR?+gSx&yJh8vU!XrAhQy@=pg zXaeU1jj4b~t5Wq)BVl``CB}mOnz*6d}P@KaqCmF?Yn5?GS4Cs6Cc`!Uf4A- zH~=F=qLks>D>;rS!yAr=w+IT4&jJU4rIB`{xquS#S4PvsFs7^B`?lXMe>3ZNz9J7bYq_LF=8=^qfqm2Bkq)9B%qbucK$$78!%L~nM7c|0_G67@$ ztNBghAWFk#)8B(HK;jU`0{XcOl*=bAc&wGw?X6op$-wyn3@4Ek1+D+vg4V~DZet^n zul74!IfWb}PAbC0ReLlz7E%%y!BqqG#RZ@4-P^X>9< zD77jI0?c`1`>wkm>V}~g_sq?9n<*2ko@l#zZjafP3vbyf|EPDem;XB{_cD+FteNCHna+m$T`3S9IR`HA$ZXXrA=^MW2Vh>v zWnifGjL=o`L07#jZEbD{w6mI#y*2HBdwYLc;rrsI!VWN^bek--xlQu$e5hBN4=oRW zw6c=^4^>q26vvw#2Uw#2Pft&ds_Vbw)9zmX@1m6ae@VjIv&_Z!G9UDkh z62asbO&#M3TXzo&@|syJS22jHz3M>Tbud++-o^v^v~c=uV^9Gy+N<_xapplk*{0>A zTXZ+m!LrFxFeCtCV{1rUa9uSV*o_DmICfDOGR*n2j;H?fEuP8%RiUO9L1iOp!Ue-< z`fMUZ;g?t0S+|ov&~csb2$g3A~uG_KUU>JoY#+;usI>f%!zX*~`8eCyv zKg=SA7lTb=A_$6J;t1Vb;(*2>_u<&a3o}B){FTKu5t-qgf?~E4-cA_i6B>mjXyzb2 z>R4jL+9KIh3T$Pz)X$Ad*vRwz5L@NDb>>Lpj0os-isI0o6YV0vUzd3amkpg9$Y)kp zR)nn$US(Uc{-8=#0Ge94t?QD+RR>+{4wpAIH|BHTR1`^hvM;DRAM0F!KJzL{>Hlm! z*5(zokPK3*an;q}iaJ zEP~XIkgEmMu8_ld(g0`OL6ePiyPmH3Ol_K{`mmnOPezHqrXlvB-?KTvKH0Y@sKYuN zczaupnqSHPLpV<{+xR5#693QfNvBsm|8d&g`+s&)){W0{6+^4QWck{}WWB=-{AY5_ z9T5R7ueH2Ea|YLHkc@ybc;vl62^x}!2!gry{QOlGSL6K+acEUT!DijoAv{v*eJtQn zgySk?-p9@%bPnMW{v95XSk%7n9>SwBUhuvvzdwXZgu^@}j%8nMij9i0+X_mZB`9@I zR>4U}{cQm;EW^}N}O z%=Q^ysfX&pMua5U_v>3KuIuh~!(KP+b;CEU8;k(?KGZ@k&DPNf97m%|bz_XW^PzNl z>46V1ueAO%i{MQcfXm|lI!FEa^S}G^KRYRv`$kHkKi|icU30GHj%s(Yzd5P8d$S2r zl;*#5ssun#R0C-&;RRXvPVvrSPA;`=^XBH!&OjuUN#MQm^W zLLRYh%UPR8=C>8@he`Iact1*6NB<-31Yg?>Sfc+s{ki!6UVnf8<8Dfmu+Kt&zYCea zqKtp&@z`})XZ}xVOaxtjA86V6&rYv9H~;tdfA6Mj76)0qv~vFVr{NV6kG+60Ou4!R zx+-B_>ssH3gmDedYg&`pm8SWrZ*%6o92%m{Np_bS}2 zk7f4Xard}-|M$uM{>R;v12{)Q4!yckN{_a>B^ib(i9!;OAwj_v8e{G`2m01wo+fGu z419v42*wc|Y8gc0@e^P;LW0b&l4I6$6o<|M#CWVPS$>o-JR+ZP2-ieR;C~%@@M|31 z0FBj`5+q2lx)KX}j`#BNB#b-Wn25IeSA*|(!+){1`Zs$p z8Moy>*-t);+eJe|6kMf=y8Dhhk3D{!IFG#{x^fMCe42FnLoIik6 zfqAQoKLReKsa$iXy?sOO!W=i?j=;*cA^X>3P`VS!c{{-{qESSz73S)q_lR)8HNIJ8 z`8YugO|ig?XV-MrfTk&A?(`%qKPq5AaUAChoM#O|L-_(Pi$pk074M_S&NbZYeB^uq zcWF_rFRylAWuwj&YJ>Vy41)^cF0lYqll|kxtCtrXIF?)_a0tU2K>A$A7DsK+Y7N%? zNTODIUD=@8`dTSHCYa$>@_OtRwfX4FfolCe6Q(RjO|Y~|?K>i8f($frCD^m@13@9> zc+F1NE?XM6B7|vBZhe~>VE*?y`Cl|@HECZOuvK_9-E%s~@j6eV2tpcMNt~u~r2r#F zr}YUCHW`=(>Tf(`)gx?mjeM!*eK1JMuOQJU-|nqQ)a+C%%h9ahWfHQ~eAbAU=A(N; zY70YFoNrub$aE^B;@d4DQ|)}vTAbae5orrSfyNCrn-LUf44FBk7WCUk(D+Y_WQfc0 zs`!&@>*s2%n(1lFDAYp<1C>^0Bet~n-c>S04ODEmz>Z{!QX>9(pmN%q?2|@F+{EG^F%O-8Z59PdcuU;Spvy4shla z_av zoh>0ZZw=HUw=4a>zV2Ta&CEDhil#OP_`RXIUDRyjpb52mHwPqY<3I^7OO{pB-_;?% z6%Mtmf%_>EKb^2|TLYM%758+mIxk4lLDpFfrdfRmlGG%{+ctvTPG@>==;_pYgQe(A z?X-VeMenHdnrt7vEP-G?ezoXb+oLCi9GjsnIuGw}^m6pF@mp#1wv3@fueb5&*@yKP z8?4QlFt>n21C%iMe7g~9mFq+otTZl$D1hhZuXgNTf=q69HygJG32C)|aldl05z0Hw zx&{ep^>A^&a=x4l%r&%&ZCCpKE7+k)LIj z-ob+CE{pt{(<=?g8NbsGag)g15jX4pmicDBY%w$OCb+fC#_MLRX zwIBcfN&e@D0U$O`l^rH14D29Ya9 z{F9~%8)@Z9ptDGa_tr-r9$7yQzr|RtO-e)j7fKR$D=}b8L$NTuNos|0c zFFV=`aTDxS4$XRBipwhe_t)3gUNFO<4jfZa|G^BmOSRjFj&o+kn`9E4a6nMx##8&+ znHad95Gg4co?)rGveamLt67UphT@P;?MN2xWl?4-xnZoc8dAm`DGj)h!I9C8I_xD2 zh!Io@Kc)B)FNMbpZ?aEiuY-lxiVg~4>Vb;h%8?;a1T>CrbZ-SV8cR&XL~ZTG|NWo; zB~)f+tN$lJ8Cobbmf3%&{p$J8es7=uc{hcpL|`A@VlLo$Hq>xojkS}X16C<3 z7p4Mt6u-ziMEF_QDZ_Dy*`k&K5a&3*OauR(qR200{w;j@*)_U4`}|6&s#k}^N`|81 z;bSWDT**Lm+-BposL!%nvCT09-?}ev@f6D|nX{sjg6edq@IfDBUD9uU8TT?eW(RCN zE9*;%qQ&+7OHyr17~6|cs@$9C0^x7cr~*xv-THm!gJ);A&cnIa8M=I&vVpV4aFPZ;K<-e8tb3LhFlqK@N*FCM?|JCd6 z^FQyV*z!MHDqqkD^Rn2lW&p1h_Hy!>xms$+U|gpc8W8T? z9bt9SE_1B1Aqu4O&bQdVLUOEOZY<7aI;%G`YDg2LT+r#)N*RDk?1T^6jJhYP$)+D# z_U+4h`rjn1UE2&;rvLk$<7)oz{^?%-@1!i!|6sB%FSY~hOz=%>zuH!twS_IzYQ)k* z3Gxc`3k3QS;O|+cu4IvAh?r=_Z_YgHF1A)mT)FyyHW1=lwAnVK!jEdgJ+u&hz_L{T z7x#N?y8K_F|GP&gC)NB<-P4oPz5d@tvGsqE@w=k+EBW7>w0+TrmL>}~#{sdix_PiZ z-zMQwTx{S_&4o;T!#=dSPkOBt1PM=Y;ALd+)UP6q^!v^S53w2CHtUs_8tPI=ahVGs^EL=MOSDZGgKg0$gIxZ%Llizqk2*6^Ua6OfGQr z5!r_nDOPm54?lN0defnLklEUG%fVxo3;HBmPe%S-IeuYO7_ zkl|Z1W$R#=Z$!RptgM<<6Y3#Mf1=|L`ZC^E52$WaX)L3^`*~dYmx2x z|CjFn=!CZ$@BRF=JpSYO$4(h)<&};0v*JcR6D^{gjwACFI z9j{}~00&ljb_Ys7vlOYs1T^H1{8}KtGa7Zg?#Y&klx6>aNJ?ce+yl9~TPByvxZitV zdgVZDm04u=T!DK>12Oy;_INiari&jz{axq(vNNyV7+m+L|p2usbuN@I68-B;J~ zLzC^hDXY%^DUFGso9zQGng89+N%j19@8ozt|94XA=KpIw*7ft>Fv3b3f|UkWJZN0a zHMik8<7zW^-#@IQzzU*orw3=}v0iiAae?$LA^p%yyD$5)FZ;4DcP{@E00960Q1>D? H0PFw&w2xJ6 literal 0 HcmV?d00001 diff --git a/charts/rancher-externalip-webhook/Chart.yaml b/charts/rancher-externalip-webhook/Chart.yaml index e9b9e2b08..dee6beb1b 100644 --- a/charts/rancher-externalip-webhook/Chart.yaml +++ b/charts/rancher-externalip-webhook/Chart.yaml @@ -5,13 +5,12 @@ annotations: catalog.cattle.io/release-name: rancher-externalip-webhook catalog.cattle.io/ui-component: rancher-externalip-webhook apiVersion: v1 -appVersion: v0.1.3 +appVersion: v0.1.4 description: | Deploy the externalip-webhook to mitigate k8s CVE-2020-8554 home: https://github.com/rancher/externalip-webhook keywords: - cve -- embargo - externalip - webhook - security @@ -21,4 +20,4 @@ maintainers: name: rancher-externalip-webhook sources: - https://github.com/rancher/externalip-webhook -version: 0.1.300 +version: 0.1.400 diff --git a/charts/rancher-externalip-webhook/app-README.md b/charts/rancher-externalip-webhook/app-README.md index c8476ceaf..38c317119 100644 --- a/charts/rancher-externalip-webhook/app-README.md +++ b/charts/rancher-externalip-webhook/app-README.md @@ -3,8 +3,7 @@ This chart was created to mitigate [CVE-2020-8554](https://www.cvedetails.com/cve/CVE-2020-8554/) External IP Webhook is a validating k8s webhook which prevents services from using random external IPs. Cluster administrators -can specify list of CIDRs allowed to be used as external IP by specifying `allowed-external-ip-cidrs` parameter. -Webhook will only allow creation of services which doesn't require external IP or whose external IPs are within the range -specified by the administrator. +can specify list of CIDRs allowed to be used as external IP by specifying `allowed-external-ip-cidrs` parameter. +The webhook will only allow services which either don’t set external IP, or whose external IPs are within the range specified by the administrator. For more information, review the Helm README of this chart. diff --git a/charts/rancher-externalip-webhook/questions.yaml b/charts/rancher-externalip-webhook/questions.yaml index c2bce6fca..8b0e19040 100644 --- a/charts/rancher-externalip-webhook/questions.yaml +++ b/charts/rancher-externalip-webhook/questions.yaml @@ -4,4 +4,4 @@ questions: label: Allowed external IP cidrs description: Set allowed external IP CIDRs separated by a comma type: string - group: config \ No newline at end of file + group: Configuration \ No newline at end of file diff --git a/charts/rancher-externalip-webhook/templates/deployment.yaml b/charts/rancher-externalip-webhook/templates/deployment.yaml index a817d2d78..c82754deb 100644 --- a/charts/rancher-externalip-webhook/templates/deployment.yaml +++ b/charts/rancher-externalip-webhook/templates/deployment.yaml @@ -10,8 +10,8 @@ metadata: spec: replicas: {{ .Values.replicas }} selector: - matchLabels: {{ include "externalip-webhook.labels" . | indent 6 }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + matchLabels: + app: {{ template "externalip-webhook.name" . }} template: metadata: annotations: diff --git a/charts/rancher-externalip-webhook/templates/service.yaml b/charts/rancher-externalip-webhook/templates/service.yaml index d91eeed78..256add3e4 100644 --- a/charts/rancher-externalip-webhook/templates/service.yaml +++ b/charts/rancher-externalip-webhook/templates/service.yaml @@ -12,7 +12,7 @@ spec: protocol: TCP targetPort: {{ .Values.webhookPort }} selector: - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app: {{ template "externalip-webhook.name" . }} type: "ClusterIP" {{- if .Values.metrics.enabled }} --- @@ -30,6 +30,6 @@ spec: protocol: TCP targetPort: {{ .Values.metrics.port }} selector: - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + app: {{ template "externalip-webhook.name" . }} type: "ClusterIP" {{- end }} \ No newline at end of file diff --git a/charts/rancher-externalip-webhook/templates/servicemonitor.yaml b/charts/rancher-externalip-webhook/templates/servicemonitor.yaml index b90498492..c481ea31d 100644 --- a/charts/rancher-externalip-webhook/templates/servicemonitor.yaml +++ b/charts/rancher-externalip-webhook/templates/servicemonitor.yaml @@ -11,6 +11,6 @@ spec: - path: /metrics port: https selector: - matchLabels: {{ include "externalip-webhook.labels" . | indent 6 }} - chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + matchLabels: + app: {{ template "externalip-webhook.name" . }} {{- end }} \ No newline at end of file diff --git a/charts/rancher-externalip-webhook/values.yaml b/charts/rancher-externalip-webhook/values.yaml index 5f3a929f4..dc17e9796 100644 --- a/charts/rancher-externalip-webhook/values.yaml +++ b/charts/rancher-externalip-webhook/values.yaml @@ -15,7 +15,7 @@ image: pullPolicy: IfNotPresent pullSecrets: [] repository: rancher/externalip-webhook - tag: v0.1.3 + tag: v0.1.4 ## Enabling metrics endpoint # Webhook emits `webhook_failed_request_count` metrics whenever it rejects service creation or update operation metrics: diff --git a/index.yaml b/index.yaml index d9edcfb04..70332e104 100644 --- a/index.yaml +++ b/index.yaml @@ -794,6 +794,33 @@ entries: - assets/rancher-cis-benchmark/rancher-cis-benchmark-crd-1.0.100.tgz version: 1.0.100 rancher-externalip-webhook: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: External IP Webhook + catalog.cattle.io/namespace: cattle-externalip-system + catalog.cattle.io/release-name: rancher-externalip-webhook + catalog.cattle.io/ui-component: rancher-externalip-webhook + apiVersion: v1 + appVersion: v0.1.4 + created: "2020-12-08T22:05:21.819947668Z" + description: | + Deploy the externalip-webhook to mitigate k8s CVE-2020-8554 + digest: abc86966d4a49e37ea0a7e90f38bc267a73cb9fc3a9ce96e407bae760eb9af95 + home: https://github.com/rancher/externalip-webhook + keywords: + - cve + - externalip + - webhook + - security + maintainers: + - email: raul@rancher.com + name: rawmind0 + name: rancher-externalip-webhook + sources: + - https://github.com/rancher/externalip-webhook + urls: + - assets/rancher-externalip-webhook/rancher-externalip-webhook-0.1.400.tgz + version: 0.1.400 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: External IP Webhook @@ -2245,4 +2272,4 @@ entries: urls: - assets/rio/rio-0.8.000.tgz version: 0.8.000 -generated: "2020-12-08T19:09:47.204545583Z" +generated: "2020-12-08T22:05:21.818659463Z" diff --git a/sha256sum/rancher-externalip-webhook/rancher-externalip-webhook.sum b/sha256sum/rancher-externalip-webhook/rancher-externalip-webhook.sum index 893c975ea..89ff84ae3 100644 --- a/sha256sum/rancher-externalip-webhook/rancher-externalip-webhook.sum +++ b/sha256sum/rancher-externalip-webhook/rancher-externalip-webhook.sum @@ -1 +1 @@ -f6bf0708fa426f2b4343691ca3c3fff2a7b6bd502af5ed3b0aeae51e011b5c8f packages/rancher-externalip-webhook/package.yaml +9f7d1eaa86b2b929e679dac7bb94e1632e959e6bc3f1137010474a24a38844b2 packages/rancher-externalip-webhook/package.yaml