GO-2022-0617
and 23 other vulnerabilities
GO-2022-0617 : WITHDRAWN: Potential proxy IP restriction bypass in Kubernetes in k8s.io/kubernetes
GO-2022-0703 : XML Entity Expansion and Improper Input Validation in Kubernetes API server in k8s.io/kubernetes
GO-2022-0802 : Kubernetes kubectl cp Vulnerable to Symlink Attack in k8s.io/kubernetes
GO-2022-0867 : Allocation of Resources Without Limits or Throttling and Uncontrolled Memory Allocation in Kubernetes in k8s.io/kubernetes
GO-2022-0885 : Improper Authentication in Kubernetes in k8s.io/kubernetes
GO-2022-0890 : Server Side Request Forgery (SSRF) in Kubernetes in k8s.io/kubernetes
GO-2022-0907 : Access Restriction Bypass in kube-apiserver in k8s.io/kubernetes
GO-2022-0910 : Files or Directories Accessible to External Parties in kubernetes in k8s.io/kubernetes
GO-2022-0983 : kubectl ANSI escape characters not filtered in k8s.io/kubernetes
GO-2023-1864 : Kubelet vulnerable to bypass of seccomp profile enforcement in k8s.io/kubernetes
GO-2023-1891 : kube-apiserver vulnerable to policy bypass in k8s.io/kubernetes
GO-2023-1892 : Kubernetes mountable secrets policy bypass in k8s.io/kubernetes
GO-2023-2159 : Kube-proxy may unintentionally forward traffic in k8s.io/kubernetes
GO-2023-2341 : Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes
GO-2024-2748 : Privilege Escalation in Kubernetes in k8s.io/apimachinery
GO-2024-2753 : Denial of service in Kubernetes in k8s.io/kubernetes
GO-2024-2754 : Sensitive Information leak via Log File in Kubernetes in k8s.io/kubernetes
GO-2024-2755 : Sensitive Information leak via Log File in Kubernetes in k8s.io/kubernetes
GO-2024-2994 : Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes
GO-2024-3277 : Kubernetes Nil pointer dereference in KCM after v1 HPA patch request in k8s.io/kubernetes
GO-2025-3465 : Node Denial of Service via kubelet Checkpoint API in k8s.io/kubernetes
GO-2025-3521 : Kubernetes GitRepo Volume Inadvertent Local Repository Access in k8s.io/kubernetes
GO-2025-3522 : Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API in k8s.io/kubernetes
GO-2025-3547 : Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes
Discover Packages
k8s.io/kubernetes
plugin
pkg
admission
antiaffinity
package
Version:
v1.15.3
Opens a new window with list of versions in this module.
Published: Aug 16, 2019
License: Apache-2.0
Opens a new window with license information.
Imports: 6
Opens a new window with list of imports.
Imported by: 36
Opens a new window with list of known importers.
Documentation
¶
Package antiaffinity provides the LimitPodHardAntiAffinityTopology
admission controller. It rejects any pod that specifies "hard"
(RequiredDuringScheduling) anti-affinity with a TopologyKey other
than v1.LabelHostname. Because anti-affinity is symmetric, without
this admission controller, a user could maliciously or accidentally
specify that their pod (once it has scheduled) should block other
pods from scheduling into the same zone or some other large
topology, essentially DoSing the cluster. In the future we will
address this problem more fully by using quota and priority, but
for now this admission controller provides a simple protection, on
the assumption that the only legitimate use of hard pod
anti-affinity is to exclude other pods from the same node.
View Source const PluginName = "LimitPodHardAntiAffinityTopology"
PluginName is a string with the name of the plugin
Register registers a plugin
Plugin contains the client used by the admission controller
func NewInterPodAntiAffinity() *Plugin
NewInterPodAntiAffinity creates a new instance of the LimitPodHardAntiAffinityTopology admission controller
Validate will deny any pod that defines AntiAffinity topology key other than v1.LabelHostname i.e. "kubernetes.io/hostname"
in requiredDuringSchedulingRequiredDuringExecution and requiredDuringSchedulingIgnoredDuringExecution.
¶
Click to show internal directories.
Click to hide internal directories.
Affected by 
Documentation
¶
Source Files