Comments (10)
Sounds like you've done a lot of research on this. Do you want to do a PR? I think taking any action 1.17 is a bit late, but it isn't too late to get any changes in 1.19.
I can't say what would make all parties happy with a change there though, but let me know your thoughts.
from eks-distro.
What isn't clear, and mainly why I didn't propose a PR was there doesn't seem to be any documentation as to why this feature exists, or why it might be needed. Lacking that context, and documentation would it be possible to just remove the patch entirely? With https://github.com/aws/eks-distro/blob/45bbfb32b8b52c6acefcd8b431227aa0d2bfa10e/projects/kubernetes/kubernetes/1-19/patches/0008-EKS-PATCH-Update-aws-sdk-go-to-v1.34.24.patch it looks like the AWS SDK supports the feature directly now: https://github.com/aws/aws-sdk-go/blob/v1.34.24/aws/session/shared_config.go#L285-L292
If the sole purpose was to support regional STS, it looks like this is now addressed. That said, getting any more detail on the reason for the patch would go a long way in knowing the steps forward. The two patches adding the code are the only two files I can find, which makes me suspicious that there aren't any tests covering this feature. If they exist, and anyone knows where they might be, that would be greatly appreciated.
from eks-distro.
Good question, I'm not sure of the answer, but I'll see if anyone else does.
from eks-distro.
I posted #132 to just remove the patch in the off chance that path is possible. If we are able to locate and document a need for the existing code, I can change the PR, or make a new one, to only change the credential loading behavior in the presence of the env vars.
from eks-distro.
@nairb774 you were right that this is not required anymore given that aws-sdk-go dependency was updated (kubernetes/kubernetes#87253) from 1.18 onwards and was only added to support pulling images using different role for ECR to support other computes like Fargate and also to support regional STS regional endpoint for image pulling which are now addressed. Having said that, we will remove this in the next release. Sorry for the inconvenience this has caused.
from eks-distro.
Thanks for the background and great to know the history behind the change.
from eks-distro.
Sorry, after a lot of arm twisting I still couldn't get this in v1.19, but it will definitely be in v1.20
from eks-distro.
It happens. On the other hand, excited to see 1.19 coming.
from eks-distro.
To follow up, this was fixed in 1.20? I haven't yet been able to test, but curious for when we get there.
from eks-distro.
This was fixed for 1.20
from eks-distro.
Related Issues (20)
- Can you support Semantic Versioning? HOT 2
- Discontinue support for k8s 1.23 HOT 1
- Releases: 1.23-1.28
- K8s Security: [Security Advisory] CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation
- K8s Security: [Security Advisory] CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation
- K8s Security: [kubernetes-announce] [Security Advisory] CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation
- K8s Security: [Security Advisory] CVE-2023-3893: Insufficient input sanitization on kubernetes-csi-proxy leads to privilege escalation
- K8s Security: [kubernetes-announce] [Security Advisory] CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation
- K8s Security: [kubernetes-announce] [Security Advisory] CVE-2023-3893: Insufficient input sanitization on kubernetes-csi-proxy leads to privilege escalation
- Ability to link EKS-D release to Platform Version on AWS EKS service HOT 5
- K8s Security: [Ingress-nginx Security Advisory] CVE-2022-4886: Ingress-nginx `path` sanitization can be bypassed with `log_format` directive
- K8s Security: [Ingress-nginx Security Advisory] CVE-2023-5044: Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation
- K8s Security: [Ingress-nginx Security Advisory] CVE-2023-5043: Ingress nginx annotation injection causes arbitrary command execution
- K8s Security: [kubernetes-announce] [Ingress-nginx Security Advisory] CVE-2023-5044: Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation HOT 1
- K8s Security: [kubernetes-announce] [Ingress-nginx Security Advisory] CVE-2023-5043: Ingress nginx annotation injection causes arbitrary command execution HOT 1
- K8s Security: [kubernetes-announce] [Ingress-nginx Security Advisory] CVE-2022-4886: Ingress-nginx `path` sanitization can be bypassed with `log_format` directive HOT 1
- K8s Security: [Security Advisory] CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes
- K8s Security: [kubernetes-announce] [Security Advisory] CVE-2023-5528: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes HOT 1
- Create 1-29 Foundation HOT 1
- AWS::EKS::AccessEntry/AccessEntry: CREATE_FAILED ( eksctl create cluster ) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from eks-distro.