k0sproject / k0s Goto Github PK
View Code? Open in Web Editor NEWk0s - The Zero Friction Kubernetes
Home Page: https://docs.k0sproject.io
License: Other
k0s - The Zero Friction Kubernetes
Home Page: https://docs.k0sproject.io
License: Other
Which should contain all required container images.
We should do some basic integration testing for mke. Maybe we could utilize footloose like we do for launchpad:
So essentially we could do something like this:
Ready
condition in tolerable timefootloose destroy
We could provide option for users to run better isolated containers via kata, gvisor, firecracker or some other tech out there.
Pretty much every time I terminate my mke worker ...
process with ctrl-c, both kubelet and containerd processes leak.
Not everyone is gonna want to use calico, so we'd need to support a custom CNI provider. Maybe the config could be something like:
apiVersion: mke.mirantis.com/v1beta1
kind: Cluster
metadata:
name: foobar
spec:
network:
provider: custom
It is then up to the user to make the CNI work. Fairly easy by pushing their CNI manifests into /var/lib/mke/manifests
:)
We want to make mke control plane elastic, so there should be a way to easily boot up second controlplane "instance" on some other node. Requires that there's a way to somehow sync all the needed certs and other details between the nodes.
We should use bundled conntrack if host does not have it installed.
Maybe we could use this: https://github.com/florianl/go-conntrack
X.509 Certificate Linter based on CA/B Forum Baseline Requirements and RFC 5280
Dependency Hierarchy:
Found in HEAD commit: 12c20c7fee37c61b9259a3a301be461c13f2cc2a
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
Publish Date: 2020-03-16
URL: CVE-2020-7919
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7919
Release Date: 2020-03-16
Fix Resolution: go - 1.12.16,1.13.7;crypto - v0.0.0-20200128174031-69ecbb4d6d5d
Currently the join tokens are never-expiring. We should enable a flag (e.g. --expiry 72h
) for the mke token create
command. The actual expiry is handled by the tokencleaner
controller on controllermanager which we already enable.
New Calico suppeort wireguard, we should make that as an option to configure for Calico.
We probably need similar config yaml for worker as we now have for controller. Some things we could be configuring:
It looks like kine creates database in local directory. We should move that to the working directory, /var/lib/mke
and make that configurable.
Containerd needs to be configured with a toml config file. The defaults an be dumped with containerd config default
We need to check which parts we'd need to configure, or make configurable through mke. Then when mke is launching containerd, it should first dump the config file and the launch containerd with containerd --config /path/to/config.toml
Auditing for TLS certificates, Go code.
Dependency Hierarchy:
Found in HEAD commit: 12c20c7fee37c61b9259a3a301be461c13f2cc2a
A cross-site request forgery flaw was found in etcd 3.3.1 and earlier. An attacker can set up a website that tries to send a POST request to the etcd server and modify a key. Adding a key is done with PUT so it is theoretically safe (can't PUT from an HTML form or such) but POST allows creating in-order keys that an attacker can send.
Publish Date: 2018-04-03
URL: CVE-2018-1098
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1098
Release Date: 2018-04-03
Fix Resolution: v3.4.0-rc.0
MKE should include metrics-server deployment.
ContainerD has to be up-and-running so mke has to supervise that.
Dependency Hierarchy:
Dependency Hierarchy:
Found in HEAD commit: dfc52923fce4373bce79baa9a6333b3354dde77f
The Kubernetes kube-apiserver in versions v1.6-v1.15, and versions prior to v1.16.13, v1.17.9 and v1.18.6 are vulnerable to an unvalidated redirect on proxied upgrade requests that could allow an attacker to escalate privileges from a node compromise to a full cluster compromise.
Publish Date: 2020-07-21
URL: CVE-2020-8559
Base Score Metrics:
Type: Upgrade version
Origin: kubernetes/kubernetes#92914
Release Date: 2020-07-21
Fix Resolution: v1.18.6,v1.17.9,v1.16.13
Currently we just assume there's mke.yaml
in the cwd... :)
We need to make some calico setting configurable through the config yaml. At least the following:
The config could look something like:
apiVersion: mke.mirantis.com/v1beta1
kind: Cluster
metadata:
name: foobar
spec:
network:
provider: calico
calico:
mtu: 1234
mode: vxlan
Default to vxlan
and 1450 MTU.
We need to have kubelet to get a properly signed serving cert, otherwise configuring adjacent components such as metric server will get messy as by default kebelet is running with self-signed serving cert:
Server certificate
subject=CN = controller0@1597052929
issuer=CN = controller0-ca@1597052929
We should automatically deploy CoreDNS in HA mode (when possible).
Currently both are hardcoded. 😂
Note that when changing the service CIDR, we need to "statically" reserve a IP for the DNS service. Currently it's 10.96.0.10
and set to coreDNS here
We also need to change the api service certs to include the first address of the service CIDR as SAN, the cluster internal api service is at that address.
Some of the process does not need to run as root, so we should run them as different users. we also need to investigate if we need to detach those from the controlling tty.
Currently we dump all bins to disk. This means that when we run worker, we get control plane bins to disk too. So we'd need something where each component can tell which bins it needs so we dump only the ones we really need.
Push/PR --> trigger build
For this ^ we do not yet have tests to run, but eventually we should have.
Tag --> trigger release build (i.e. build bin + make release in GH with bins as artifacts)
Similar to what K3s does.
We want to support real etcd as storage for control plane. Just another supervised process in controlplane, but requires specific CA and certs (both serving and client certs).
Currently we have 3 shim bins embedded, we only will need probably one.
Library for writing a Kubernetes-style API server.
Dependency Hierarchy:
Found in HEAD commit: 6fe2a96165d709fe20a7eb7820114857561c2eac
A flaw was found in the OpenShift API Server, where it failed to sufficiently protect OAuthTokens by leaking them into the logs when an API Server panic occurred. This flaw allows an attacker with the ability to cause an API Server error to read the logs, and use the leaked OAuthToken to log into the API Server with the leaked token.
Publish Date: 2020-06-12
URL: CVE-2020-10752
Base Score Metrics:
This way we're in total control of all the bits and pieces. And, maybe even more importantly, we can run everything smoothly on any distro. ;)
Currently there's no health checking done for any of the managed child processes. Maybe mke could have some simple-ish ways to ping the healthz
endpoints of each of the childs?
Of course if a healthcheck fails, we should restart the process. Definitely needs some backoff so we don't create busyloops with this.
Same as for containerd in #4 but for kubelet.
split the the components into directories as:
pkg/component/
pkg/component/server/
pkg/component/worker/
[mirror] Go text processing support
Dependency Hierarchy:
X.509 Certificate Linter based on CA/B Forum Baseline Requirements and RFC 5280
Dependency Hierarchy:
[mirror] Go text processing support
Dependency Hierarchy:
[mirror] Go text processing support
Dependency Hierarchy:
Auditing for TLS certificates, Go code.
Dependency Hierarchy:
Found in HEAD commit: 12c20c7fee37c61b9259a3a301be461c13f2cc2a
Go version v0.3.3 of the x/text package fixes a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Publish Date: 2020-06-17
URL: CVE-2020-14040
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14040
Release Date: 2020-06-17
Fix Resolution: v0.3.3
Auditing for TLS certificates, Go code.
Dependency Hierarchy:
Found in HEAD commit: 12c20c7fee37c61b9259a3a301be461c13f2cc2a
DNS rebinding vulnerability found in etcd 3.3.1 and earlier. An attacker can control his DNS records to direct to localhost, and trick the browser into sending requests to localhost (or any other address).
Publish Date: 2018-04-03
URL: CVE-2018-1099
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1099
Release Date: 2018-04-03
Fix Resolution: v3.4.0-rc.0
Implement mke single
or similar, which will respawn and supervise itself as both server and worker. This makes it simple to bootstrap and run mke as single node cluster on your development machine for testing.
We already have basic config yaml structure in place. We should properly document it and while doing so create the very basic /docs
structure.
Auditing for TLS certificates, Go code.
Dependency Hierarchy:
Found in HEAD commit: 12c20c7fee37c61b9259a3a301be461c13f2cc2a
etcd versions 3.2.x before 3.2.26 and 3.3.x before 3.3.11 are vulnerable to an improper authentication issue when role-based access control (RBAC) is used and client-cert-auth is enabled. If an etcd client server TLS certificate contains a Common Name (CN) which matches a valid RBAC username, a remote attacker may authenticate as that user with any valid (trusted) client certificate in a REST API request to the gRPC-gateway.
Publish Date: 2019-01-14
URL: CVE-2018-16886
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-16886
Release Date: 2019-01-14
Fix Resolution: 3.2.26,3.3.11
At least 2 PSPs, restricted and privileged.
YAML support for the Go language.
Dependency Hierarchy:
Found in HEAD commit: 12c20c7fee37c61b9259a3a301be461c13f2cc2a
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
Publish Date: 2020-04-01
URL: CVE-2019-11254
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/go-yaml/yaml/tree/v2.2.8
Release Date: 2020-04-01
Fix Resolution: yaml-v2.2.8
Maybe needs #3 as it's not really a trivial problem
We should generate proper CA/certs for Kine and etcd.
mke bin needs to spawn few child processes (containerd and kubelet at least) and make sure they stay up-and-running. This is what process manager does so we should check if there's some nifty golang lib that could handle this. We'd need to make sure that e.g. signal hangling works as expected and we do not create too many zombies and what-nots.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.