kubeclient 3.1.0 → 3.1.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of kubeclient might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/CHANGELOG.md +9 -0
- data/README.md +27 -13
- data/lib/kubeclient/config.rb +1 -1
- data/lib/kubeclient/version.rb +1 -1
- data/test/test_config.rb +29 -0
- metadata +3 -3
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: f7a3f5bd1265e7901b0107badc19f6519919674d
|
4
|
+
data.tar.gz: 89a0f99ce7194c998a3a0f18888fcc0496adf2b8
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0ea1aec07c2dd2e121b9648fb1e18a3c23993af2bf9efd460992ec8a983c5d1ee38102c1b013a20e09c766d1f7e1474561494bd77e28be190f3a85ec23ec5fd6
|
7
|
+
data.tar.gz: b002550b4e4144802f20e21262f082ce228bc196e643e0f9c4446f1cbe49f0710584d5cdab865a544cc557b4e27a6661ce9350423075a34a700fbc01b18ebdb2
|
data/CHANGELOG.md
CHANGED
@@ -4,6 +4,15 @@ Notable changes to this project will be documented in this file.
|
|
4
4
|
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
|
5
5
|
Kubeclient release versioning follows [SemVer](https://semver.org/).
|
6
6
|
|
7
|
+
## 3.1.1 - 2018-06-01
|
8
|
+
|
9
|
+
### Security
|
10
|
+
- Fixed `Kubeclient::Config.read` to use `YAML.safe_load` (#334).
|
11
|
+
|
12
|
+
Previously, could deserialize arbitrary ruby classes. The risk depends on ruby classes available in the application; sometimes a class may have side effects - up to arbitrary code execution - when instantiated and/or built up with `x[key] = value` during YAML parsing.
|
13
|
+
|
14
|
+
Despite this fix, using config from untrusted sources is not recommended.
|
15
|
+
|
7
16
|
## 3.1.0 - 2018-05-27
|
8
17
|
|
9
18
|
### Fixed
|
data/README.md
CHANGED
@@ -262,30 +262,44 @@ end
|
|
262
262
|
|
263
263
|
### Kubeclient::Config
|
264
264
|
|
265
|
-
If you've been using `kubectl` and have a `.kube/config` file, you can auto-populate a config object using `Kubeclient::Config`:
|
265
|
+
If you've been using `kubectl` and have a `.kube/config` file (possibly referencing other files in fields such as `client-certificate`), you can auto-populate a config object using `Kubeclient::Config`:
|
266
266
|
|
267
267
|
```ruby
|
268
|
-
|
268
|
+
# assuming $KUBECONFIG is one file, won't merge multiple like kubectl
|
269
|
+
config = Kubeclient::Config.read(ENV['KUBECONFIG'] || '/path/to/.kube/config')
|
269
270
|
```
|
270
271
|
|
271
|
-
|
272
|
+
You can also construct `Config` directly from nested data. For example if you have JSON or YAML config data in a variable:
|
272
273
|
|
274
|
+
```ruby
|
275
|
+
config = Kubeclient::Config.new(YAML.safe_load(yaml_text), nil)
|
276
|
+
# or
|
277
|
+
config = Kubeclient::Config.new(JSON.parse(json_text), nil)
|
273
278
|
```
|
279
|
+
|
280
|
+
The 2nd argument is a base directory for finding external files, if config refers to them with relative path.
|
281
|
+
Setting it to `nil` disables file lookups. (A config can be self-contained by using inline fields such as `client-certificate-data`.)
|
282
|
+
|
283
|
+
To create a client based on a Config object:
|
284
|
+
|
285
|
+
```ruby
|
286
|
+
# default context according to `current-context` field:
|
287
|
+
context = config.context
|
288
|
+
# or to use a specific context, by name:
|
289
|
+
context = config.context('default/192-168-99-100:8443/system:admin')
|
290
|
+
|
274
291
|
Kubeclient::Client.new(
|
275
|
-
|
276
|
-
|
277
|
-
|
278
|
-
|
279
|
-
auth_options: config.context.auth_options
|
280
|
-
}
|
292
|
+
context.api_endpoint,
|
293
|
+
context.api_version,
|
294
|
+
ssl_options: context.ssl_options,
|
295
|
+
auth_options: context.auth_options
|
281
296
|
)
|
282
297
|
```
|
283
298
|
|
284
|
-
|
299
|
+
#### Security: Don't use config from untrusted sources
|
285
300
|
|
286
|
-
|
287
|
-
|
288
|
-
```
|
301
|
+
Kubeclient was never reviewed for behaving safely with malicious / malformed config.
|
302
|
+
It might crash / misbehave in unexpected ways...
|
289
303
|
|
290
304
|
#### namespace
|
291
305
|
|
data/lib/kubeclient/config.rb
CHANGED
data/lib/kubeclient/version.rb
CHANGED
data/test/test_config.rb
CHANGED
@@ -1,4 +1,5 @@
|
|
1
1
|
require_relative 'test_helper'
|
2
|
+
require 'yaml'
|
2
3
|
|
3
4
|
# Testing Kubernetes client configuration
|
4
5
|
class KubeclientConfigTest < MiniTest::Test
|
@@ -14,6 +15,34 @@ class KubeclientConfigTest < MiniTest::Test
|
|
14
15
|
check_context(config.context, ssl: true)
|
15
16
|
end
|
16
17
|
|
18
|
+
def test_allinone_nopath
|
19
|
+
yaml = File.read(config_file('allinone.kubeconfig'))
|
20
|
+
# A self-contained config shouldn't depend on kcfg_path.
|
21
|
+
config = Kubeclient::Config.new(YAML.safe_load(yaml), nil)
|
22
|
+
assert_equal(['default/localhost:8443/system:admin'], config.contexts)
|
23
|
+
check_context(config.context, ssl: true)
|
24
|
+
end
|
25
|
+
|
26
|
+
def test_external_nopath
|
27
|
+
yaml = File.read(config_file('external.kubeconfig'))
|
28
|
+
# kcfg_path = nil should prevent file access
|
29
|
+
config = Kubeclient::Config.new(YAML.safe_load(yaml), nil)
|
30
|
+
assert_raises(StandardError) do
|
31
|
+
config.context.ssl_options
|
32
|
+
end
|
33
|
+
end
|
34
|
+
|
35
|
+
def test_external_nopath_absolute
|
36
|
+
yaml = File.read(config_file('external.kubeconfig'))
|
37
|
+
# kcfg_path = nil should prevent file access, even if absolute path specified
|
38
|
+
ca_absolute_path = File.absolute_path(config_file('external.kubeconfig').path)
|
39
|
+
yaml = yaml.gsub('external-ca.pem', ca_absolute_path)
|
40
|
+
config = Kubeclient::Config.new(YAML.safe_load(yaml), nil)
|
41
|
+
assert_raises(StandardError) do
|
42
|
+
config.context.ssl_options
|
43
|
+
end
|
44
|
+
end
|
45
|
+
|
17
46
|
def test_nouser
|
18
47
|
config = Kubeclient::Config.read(config_file('nouser.kubeconfig'))
|
19
48
|
assert_equal(['default/localhost:8443/nouser'], config.contexts)
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: kubeclient
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.1.
|
4
|
+
version: 3.1.1
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Alissa Bonas
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2018-
|
11
|
+
date: 2018-06-01 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -297,7 +297,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
297
297
|
version: '0'
|
298
298
|
requirements: []
|
299
299
|
rubyforge_project:
|
300
|
-
rubygems_version: 2.6.
|
300
|
+
rubygems_version: 2.6.11
|
301
301
|
signing_key:
|
302
302
|
specification_version: 4
|
303
303
|
summary: A client for Kubernetes REST api
|