kubeclient 3.1.0 → 3.1.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of kubeclient might be problematic. Click here for more details.

Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +9 -0
  3. data/README.md +27 -13
  4. data/lib/kubeclient/config.rb +1 -1
  5. data/lib/kubeclient/version.rb +1 -1
  6. data/test/test_config.rb +29 -0
  7. metadata +3 -3
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: ad5e0d0d632be2585068c14cf2eb218e20788c83
4
- data.tar.gz: f7b002dcb8a7a49381b3bdbe8e6eaf2abdbe1f4d
3
+ metadata.gz: f7a3f5bd1265e7901b0107badc19f6519919674d
4
+ data.tar.gz: 89a0f99ce7194c998a3a0f18888fcc0496adf2b8
5
5
  SHA512:
6
- metadata.gz: 0bec0e053d54fa34c6b058c071b55e681d0c97497808ba7e23703dcfde1dff5e86be185a2b3cf0c1c834b50857b11298ff524f14ed42c2145d18d859b85924c5
7
- data.tar.gz: 5f2d7cb7770b4e7d3414b468704db641929eafde9452c60a863ab7d542cb3ea9fc1e35f8d2cddb3f85ccf02eb8a1dd078503748822e2ba7db3b9383210788cfe
6
+ metadata.gz: 0ea1aec07c2dd2e121b9648fb1e18a3c23993af2bf9efd460992ec8a983c5d1ee38102c1b013a20e09c766d1f7e1474561494bd77e28be190f3a85ec23ec5fd6
7
+ data.tar.gz: b002550b4e4144802f20e21262f082ce228bc196e643e0f9c4446f1cbe49f0710584d5cdab865a544cc557b4e27a6661ce9350423075a34a700fbc01b18ebdb2
data/CHANGELOG.md CHANGED
@@ -4,6 +4,15 @@ Notable changes to this project will be documented in this file.
4
4
  The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
5
5
  Kubeclient release versioning follows [SemVer](https://semver.org/).
6
6
 
7
+ ## 3.1.1 - 2018-06-01
8
+
9
+ ### Security
10
+ - Fixed `Kubeclient::Config.read` to use `YAML.safe_load` (#334).
11
+
12
+ Previously, could deserialize arbitrary ruby classes. The risk depends on ruby classes available in the application; sometimes a class may have side effects - up to arbitrary code execution - when instantiated and/or built up with `x[key] = value` during YAML parsing.
13
+
14
+ Despite this fix, using config from untrusted sources is not recommended.
15
+
7
16
  ## 3.1.0 - 2018-05-27
8
17
 
9
18
  ### Fixed
data/README.md CHANGED
@@ -262,30 +262,44 @@ end
262
262
 
263
263
  ### Kubeclient::Config
264
264
 
265
- If you've been using `kubectl` and have a `.kube/config` file, you can auto-populate a config object using `Kubeclient::Config`:
265
+ If you've been using `kubectl` and have a `.kube/config` file (possibly referencing other files in fields such as `client-certificate`), you can auto-populate a config object using `Kubeclient::Config`:
266
266
 
267
267
  ```ruby
268
- config = Kubeclient::Config.read('/path/to/.kube/config')
268
+ # assuming $KUBECONFIG is one file, won't merge multiple like kubectl
269
+ config = Kubeclient::Config.read(ENV['KUBECONFIG'] || '/path/to/.kube/config')
269
270
  ```
270
271
 
271
- ...and then pass that object to `Kubeclient::Client`:
272
+ You can also construct `Config` directly from nested data. For example if you have JSON or YAML config data in a variable:
272
273
 
274
+ ```ruby
275
+ config = Kubeclient::Config.new(YAML.safe_load(yaml_text), nil)
276
+ # or
277
+ config = Kubeclient::Config.new(JSON.parse(json_text), nil)
273
278
  ```
279
+
280
+ The 2nd argument is a base directory for finding external files, if config refers to them with relative path.
281
+ Setting it to `nil` disables file lookups. (A config can be self-contained by using inline fields such as `client-certificate-data`.)
282
+
283
+ To create a client based on a Config object:
284
+
285
+ ```ruby
286
+ # default context according to `current-context` field:
287
+ context = config.context
288
+ # or to use a specific context, by name:
289
+ context = config.context('default/192-168-99-100:8443/system:admin')
290
+
274
291
  Kubeclient::Client.new(
275
- config.context.api_endpoint,
276
- config.context.api_version,
277
- {
278
- ssl_options: config.context.ssl_options,
279
- auth_options: config.context.auth_options
280
- }
292
+ context.api_endpoint,
293
+ context.api_version,
294
+ ssl_options: context.ssl_options,
295
+ auth_options: context.auth_options
281
296
  )
282
297
  ```
283
298
 
284
- You can also load your JSONified config in from an ENV variable (e.g. `KUBE_CONFIG`) like so:
299
+ #### Security: Don't use config from untrusted sources
285
300
 
286
- ```ruby
287
- Kubeclient::Config.new(JSON.parse(ENV['KUBE_CONFIG']), nil)
288
- ```
301
+ Kubeclient was never reviewed for behaving safely with malicious / malformed config.
302
+ It might crash / misbehave in unexpected ways...
289
303
 
290
304
  #### namespace
291
305
 
data/lib/kubeclient/config.rb CHANGED
@@ -25,7 +25,7 @@ module Kubeclient
25
25
  end
26
26
 
27
27
  def self.read(filename)
28
- Config.new(YAML.load_file(filename), File.dirname(filename))
28
+ Config.new(YAML.safe_load(File.read(filename)), File.dirname(filename))
29
29
  end
30
30
 
31
31
  def contexts
data/lib/kubeclient/version.rb CHANGED
@@ -1,4 +1,4 @@
1
1
  # Kubernetes REST-API Client
2
2
  module Kubeclient
3
- VERSION = '3.1.0'.freeze
3
+ VERSION = '3.1.1'.freeze
4
4
  end
data/test/test_config.rb CHANGED
@@ -1,4 +1,5 @@
1
1
  require_relative 'test_helper'
2
+ require 'yaml'
2
3
 
3
4
  # Testing Kubernetes client configuration
4
5
  class KubeclientConfigTest < MiniTest::Test
@@ -14,6 +15,34 @@ class KubeclientConfigTest < MiniTest::Test
14
15
  check_context(config.context, ssl: true)
15
16
  end
16
17
 
18
+ def test_allinone_nopath
19
+ yaml = File.read(config_file('allinone.kubeconfig'))
20
+ # A self-contained config shouldn't depend on kcfg_path.
21
+ config = Kubeclient::Config.new(YAML.safe_load(yaml), nil)
22
+ assert_equal(['default/localhost:8443/system:admin'], config.contexts)
23
+ check_context(config.context, ssl: true)
24
+ end
25
+
26
+ def test_external_nopath
27
+ yaml = File.read(config_file('external.kubeconfig'))
28
+ # kcfg_path = nil should prevent file access
29
+ config = Kubeclient::Config.new(YAML.safe_load(yaml), nil)
30
+ assert_raises(StandardError) do
31
+ config.context.ssl_options
32
+ end
33
+ end
34
+
35
+ def test_external_nopath_absolute
36
+ yaml = File.read(config_file('external.kubeconfig'))
37
+ # kcfg_path = nil should prevent file access, even if absolute path specified
38
+ ca_absolute_path = File.absolute_path(config_file('external.kubeconfig').path)
39
+ yaml = yaml.gsub('external-ca.pem', ca_absolute_path)
40
+ config = Kubeclient::Config.new(YAML.safe_load(yaml), nil)
41
+ assert_raises(StandardError) do
42
+ config.context.ssl_options
43
+ end
44
+ end
45
+
17
46
  def test_nouser
18
47
  config = Kubeclient::Config.read(config_file('nouser.kubeconfig'))
19
48
  assert_equal(['default/localhost:8443/nouser'], config.contexts)
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: kubeclient
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.1.0
4
+ version: 3.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Alissa Bonas
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-05-27 00:00:00.000000000 Z
11
+ date: 2018-06-01 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler
@@ -297,7 +297,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
297
297
  version: '0'
298
298
  requirements: []
299
299
  rubyforge_project:
300
- rubygems_version: 2.6.13
300
+ rubygems_version: 2.6.11
301
301
  signing_key:
302
302
  specification_version: 4
303
303
  summary: A client for Kubernetes REST api