Check cli version match only for running pods #11295

mikutas · 2023-08-25T14:22:41Z

Fixes #11280

Fixes linkerd#11280 Signed-off-by: Takumi Sue <[email protected]>

mikutas · 2023-08-25T14:41:34Z

Ah I missed this is already assigned, maybe should I close?

alpeb

Ah I missed this is already assigned, maybe should I close?

Please continue, first one to deliver code wins!

alpeb · 2023-09-07T14:37:34Z

pkg/healthcheck/healthcheck.go

+		if status == string(corev1.PodRunning) && containsProxy(pod) {
+			proxyVersion := k8s.GetProxyVersion(pod)


GetProxyVersion will return an empty string if the pod doesn't contain a proxy . So there's no need to call containsProxy. You can put all the conditions (non-empty version, version comparison and status) in the same if statement.

Signed-off-by: Takumi Sue <[email protected]>

mateiidavid

Looks good!

@mikutas

This edge release updates the proxy's dependency on the `webpki` library to patch security vulnerability [RUSTSEC-2023-0052] (GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack when accepting a TLS handshake from an untrusted peer with a maliciously-crafted certificate. * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy ([#11361]) * Fixed `linkerd check --proxy` incorrectly checking the proxy version of pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280]) * Removed unnecessary `linkerd.io/helm-release-version` annotation from the `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes [#10778]) [RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html [#11295]: #11295 [#11280]: #11280 [#11361]: #11361 [#11329]: #11329 [#10778]: #10778

@mikutas

This edge release updates the proxy's dependency on the `webpki` library to patch security vulnerability [RUSTSEC-2023-0052] (GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack when accepting a TLS handshake from an untrusted peer with a maliciously-crafted certificate. * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy (#11361) * Fixed `linkerd check --proxy` incorrectly checking the proxy version of pods in the `completed` state (thanks @mikutas!) (#11295; fixes #11280) * Removed unnecessary `linkerd.io/helm-release-version` annotation from the `linkerd-control-plane` Helm chart (thanks @mikutas!) (#11329; fixes #10778) [RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html

Fixes linkerd#11280 Signed-off-by: Takumi Sue <[email protected]>

@mikutas

This edge release updates the proxy's dependency on the `webpki` library to patch security vulnerability [RUSTSEC-2023-0052] (GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack when accepting a TLS handshake from an untrusted peer with a maliciously-crafted certificate. * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy (linkerd#11361) * Fixed `linkerd check --proxy` incorrectly checking the proxy version of pods in the `completed` state (thanks @mikutas!) (linkerd#11295; fixes linkerd#11280) * Removed unnecessary `linkerd.io/helm-release-version` annotation from the `linkerd-control-plane` Helm chart (thanks @mikutas!) (linkerd#11329; fixes linkerd#10778) [RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html

Fixes linkerd#11280 Signed-off-by: Takumi Sue <[email protected]> Signed-off-by: Adam Shaw <[email protected]>

@mikutas

This edge release updates the proxy's dependency on the `webpki` library to patch security vulnerability [RUSTSEC-2023-0052] (GHSA-8qv2-5vq6-g2g7), a potential CPU usage denial-of-service attack when accepting a TLS handshake from an untrusted peer with a maliciously-crafted certificate. * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy (linkerd#11361) * Fixed `linkerd check --proxy` incorrectly checking the proxy version of pods in the `completed` state (thanks @mikutas!) (linkerd#11295; fixes linkerd#11280) * Removed unnecessary `linkerd.io/helm-release-version` annotation from the `linkerd-control-plane` Helm chart (thanks @mikutas!) (linkerd#11329; fixes linkerd#10778) [RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html Signed-off-by: Adam Shaw <[email protected]>

@mikutas

This stable release introduces a fix for service discovery on endpoints that use hostPorts. Previously, the destination service would return the pod IP associated with the endpoint which could break connectivity on pod restarts. Discovery responses have been changed to instead return the host IP. This release also fixes an issue in the multicluster extension where an empty `remoteDiscoverySelector` field in the `Link` resource would cause all services to be exported. Finally, this release addresses two security vulnerabilities, [CVE-2023-2603] and [RUSTSEC-2023-0052] respectively, and includes numerous other fixes and enhancements. * CLI * Fixed `linkerd check --proxy` incorrectly checking the proxy version of pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280]) * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd inject` (thanks @mikutas!) ([#10231]) * CNI * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI plugin ([#11296]) * Control Plane * Changed how hostPort lookups are handled in the destination service. Previously, when doing service discovery for an endpoint bound on a hostPort, the destination service would return the corresponding pod IP. On pod restart, this could lead to loss of connectivity on the client's side. The destination service now always returns host IPs for service discovery on an endpoint that uses hostPorts ([#11328]) * Updated HTTPRoute webhook rule to validate all apiVersions of the resource (thanks @mikutas!) ([#11149]) * Helm * Removed unnecessary `linkerd.io/helm-release-version` annotation from the `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes [#10778]) * Introduced resource requests/limits for the policy controller resource in the control plane helm chart ([#11301]) * Multicluster * Fixed an issue where an empty `remoteDiscoverySelector` field in a multicluster link would cause all services to be mirrored ([#11309]) * Removed time out from `linkerd multicluster gateways` command; when no metrics exist the command will return instantly ([#11265]) * Improved help messaging for `linkerd multicluster link` ([#11265]) * Proxy * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy ([#11361]) [CVE-2023-2603]: GHSA-wp54-pwvg-rqq5 [RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html [#11295]: #11295 [#11280]: #11280 [#11361]: #11361 [#11329]: #11329 [#10778]: #10778 [#11309]: #11309 [#11296]: #11296 [#11328]: #11328 [#11301]: #11301 [#11265]: #11265 [#11149]: #11149 [#10231]: #10231 Signed-off-by: Matei David <[email protected]>

@mikutas

* stable-2.14.1 This stable release introduces a fix for service discovery on endpoints that use hostPorts. Previously, the destination service would return the pod IP associated with the endpoint which could break connectivity on pod restarts. Discovery responses have been changed to instead return the host IP. This release also fixes an issue in the multicluster extension where an empty `remoteDiscoverySelector` field in the `Link` resource would cause all services to be exported. Finally, this release addresses two security vulnerabilities, [CVE-2023-2603] and [RUSTSEC-2023-0052] respectively, and includes numerous other fixes and enhancements. * CLI * Fixed `linkerd check --proxy` incorrectly checking the proxy version of pods in the `completed` state (thanks @mikutas!) ([#11295]; fixes [#11280]) * Fixed erroneous `skipped` messages when injecting namespaces with `linkerd inject` (thanks @mikutas!) ([#10231]) * CNI * Addressed security vulnerability [CVE-2023-2603] in proxy-init and CNI plugin ([#11296]) * Control Plane * Changed how hostPort lookups are handled in the destination service. Previously, when doing service discovery for an endpoint bound on a hostPort, the destination service would return the corresponding pod IP. On pod restart, this could lead to loss of connectivity on the client's side. The destination service now always returns host IPs for service discovery on an endpoint that uses hostPorts ([#11328]) * Updated HTTPRoute webhook rule to validate all apiVersions of the resource (thanks @mikutas!) ([#11149]) * Helm * Removed unnecessary `linkerd.io/helm-release-version` annotation from the `linkerd-control-plane` Helm chart (thanks @mikutas!) ([#11329]; fixes [#10778]) * Introduced resource requests/limits for the policy controller resource in the control plane helm chart ([#11301]) * Multicluster * Fixed an issue where an empty `remoteDiscoverySelector` field in a multicluster link would cause all services to be mirrored ([#11309]) * Removed time out from `linkerd multicluster gateways` command; when no metrics exist the command will return instantly ([#11265]) * Improved help messaging for `linkerd multicluster link` ([#11265]) * Proxy * Addressed security vulnerability [RUSTSEC-2023-0052] in the proxy ([#11361]) [CVE-2023-2603]: GHSA-wp54-pwvg-rqq5 [RUSTSEC-2023-0052]: https://rustsec.org/advisories/RUSTSEC-2023-0052.html [#11295]: #11295 [#11280]: #11280 [#11361]: #11361 [#11329]: #11329 [#10778]: #10778 [#11309]: #11309 [#11296]: #11296 [#11328]: #11328 [#11301]: #11301 [#11265]: #11265 [#11149]: #11149 [#10231]: #10231 Signed-off-by: Matei David <[email protected]> Signed-off-by: Eliza Weisman <[email protected]> Co-authored-by: Eliza Weisman <[email protected]>

Check cli version match only for running pods

58905f0

Fixes linkerd#11280 Signed-off-by: Takumi Sue <[email protected]>

mikutas marked this pull request as ready for review September 2, 2023 00:40

mikutas requested a review from a team as a code owner September 2, 2023 00:40

alpeb reviewed Sep 7, 2023

View reviewed changes

mikutas added 2 commits September 9, 2023 21:06

Remove containsProxy

9bb60a8

Signed-off-by: Takumi Sue <[email protected]>

Collapse into single if statement

3956f43

Signed-off-by: Takumi Sue <[email protected]>

mikutas requested a review from alpeb September 9, 2023 12:49

mateiidavid approved these changes Sep 11, 2023

View reviewed changes

adleong approved these changes Sep 11, 2023

View reviewed changes

adleong merged commit 26dfc6a into linkerd:main Sep 11, 2023

hawkw mentioned this pull request Sep 13, 2023

edge-23.9.2 #11367

Merged

adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023

Check cli version match only for running pods (linkerd#11295)

d32289d

Fixes linkerd#11280 Signed-off-by: Takumi Sue <[email protected]>

adamshawvipps pushed a commit to adamshawvipps/linkerd2 that referenced this pull request Sep 18, 2023

Check cli version match only for running pods (linkerd#11295)

b7c112d

Fixes linkerd#11280 Signed-off-by: Takumi Sue <[email protected]> Signed-off-by: Adam Shaw <[email protected]>

mateiidavid mentioned this pull request Sep 21, 2023

stable-2.14.1 #11405

Merged

mikutas deleted the 11280 branch September 27, 2023 00:29

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Check cli version match only for running pods #11295

Check cli version match only for running pods #11295

mikutas commented Aug 25, 2023

mikutas commented Aug 25, 2023

alpeb left a comment

alpeb Sep 7, 2023

mateiidavid left a comment

		if status == string(corev1.PodRunning) && containsProxy(pod) {
		proxyVersion := k8s.GetProxyVersion(pod)

Check cli version match only for running pods #11295

Check cli version match only for running pods #11295

Conversation

mikutas commented Aug 25, 2023

mikutas commented Aug 25, 2023

alpeb left a comment

Choose a reason for hiding this comment

alpeb Sep 7, 2023

Choose a reason for hiding this comment

mateiidavid left a comment

Choose a reason for hiding this comment