Affected by GO-2025-3696 and 1 other vulnerabilities

GO-2025-3696: Gardener allows bypassing project secret validation which can lead to privilege escalation in github.com/gardener/gardener

GO-2025-3698: Gardener allows metadata injection for a project secret which can lead to privilege escalation in github.com/gardener/gardener

bootstrappers

package

v1.77.6 Latest Latest Go to latest Published: Sep 27, 2023 License: Apache-2.0, BSD-2-Clause, MIT, + 1 more Imports: 14 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/gardener/gardener

Links

Documentation ¶

Index ¶

Variables
type GardenKubeconfig
- func (g *GardenKubeconfig) Start(ctx context.Context) (err error)
type KubeconfigBootstrapResult
type SeedConfigChecker
- func (s *SeedConfigChecker) Start(ctx context.Context) error

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// RequestKubeconfigWithBootstrapClient is an alias for bootstrap.RequestKubeconfigWithBootstrapClient.
	// Exposed for testing.
	RequestKubeconfigWithBootstrapClient = bootstrap.RequestKubeconfigWithBootstrapClient
	// NewClientFromBytes is an alias for kubernetes.NewClientFromBytes.
	// Exposed for testing.
	NewClientFromBytes = kubernetes.NewClientFromBytes
)

Functions ¶

This section is empty.

Types ¶

type GardenKubeconfig ¶

type GardenKubeconfig struct {
	// SeedClient is the seed cluster client.
	SeedClient client.Client
	// Log is a logger.
	Log logr.Logger
	// Config is the gardenlet component configuration.
	Config *config.GardenletConfiguration
	// Result is a structure that will be filled with information about the requested kubeconfig. Must be initialized
	// by the caller.
	Result *KubeconfigBootstrapResult
}

GardenKubeconfig implements manager.Runnable and can be used to fetch a kubeconfig for the garden cluster.

func (*GardenKubeconfig) Start ¶

func (g *GardenKubeconfig) Start(ctx context.Context) (err error)

Start starts the garden kubeconfig bootstrap process. It either uses the provided bootstrap kubeconfig with a bootstrap token to create a CertificateSigningRequest for retrieving a client certificate, or it returns the already existing kubeconfig (stored in the seed cluster as secret).

type KubeconfigBootstrapResult ¶

type KubeconfigBootstrapResult struct {
	// Kubeconfig is the kubeconfig that can be used to communicate with the garden cluster.
	Kubeconfig []byte
	// CSRName is the name of the created CertificateSigningRequest. This might be empty when no CSR was created (e.g.,
	// because the kubeconfig already exists).
	CSRName string
	// SeedName is the name of the seed the kubeconfig was requested for. This might be empty when no CSR was created
	// (e.g. because the kubeconfig already exists).
	SeedName string
}

KubeconfigBootstrapResult is contains information about the result of the kubeconfig bootstrapping process.

type SeedConfigChecker ¶

type SeedConfigChecker struct {
	SeedClient client.Client
	SeedConfig *config.SeedConfig
}

SeedConfigChecker checks whether the seed networks in the specification of the provided SeedConfig are correctly configured. Note that this only works in case the seed cluster is a shoot cluster (i.e., if it has the `shoot-info` ConfigMap in the kube-system namespace).

func (*SeedConfigChecker) Start ¶

func (s *SeedConfigChecker) Start(ctx context.Context) error

Start performs the check.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL