kubernetes: Backport fix for CVE-2020-8565 & CVE-2020-8566

Upstream-commit:https://github.com/kubernetes/kubernetes/commit/f0f52255412cbc6834bd225a59608ebb4a0d399b
& https://github.com/kubernetes/kubernetes/commit/e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea

Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

3 files changed, 93 insertions, 0 deletions

diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
new file mode 100644
index 00000000..c3772e91
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8565.patch
@@ -0,0 +1,24 @@
+From f0f52255412cbc6834bd225a59608ebb4a0d399b Mon Sep 17 00:00:00 2001
+From: Sam Fowler <sfowler@redhat.com>
+Date: Tue, 6 Oct 2020 11:10:38 +1000
+Subject: [PATCH] Mask bearer token in logs when logLevel >= 9
+
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/f0f52255412cbc6834bd225a59608ebb4a0d399b]
+CVE: CVE-2020-8565
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ staging/src/k8s.io/client-go/transport/round_trippers.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/staging/src/k8s.io/client-go/transport/round_trippers.go b/staging/src/k8s.io/client-go/transport/round_trippers.go
+index a05208d924d3b..f4cfadbd3da8e 100644
+--- a/src/import/staging/src/k8s.io/client-go/transport/round_trippers.go
++++ b/src/import/staging/src/k8s.io/client-go/transport/round_trippers.go
+@@ -340,6 +340,7 @@ func (r *requestInfo) toCurl() string {
+        headers := ""
+        for key, values := range r.RequestHeaders {
+                for _, value := range values {
++                       value = maskValue(key, value)
+                        headers += fmt.Sprintf(` -H %q`, fmt.Sprintf("%s: %s", key, value))
+                }
+        }
diff --git a/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch b/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
new file mode 100644
index 00000000..7ed812d5
--- /dev/null
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8566.patch
@@ -0,0 +1,67 @@
+From e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea Mon Sep 17 00:00:00 2001
+From: Sam Fowler <sfowler@redhat.com>
+Date: Fri, 2 Oct 2020 10:48:11 +1000
+Subject: [PATCH] Mask Ceph RBD adminSecrets in logs when logLevel >= 4
+
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes/commit/e91ec4fad3366d2dee020919f7c2a0d7b52fd3ea]
+CVE: CVE-2020-8566
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ pkg/volume/rbd/rbd_util.go | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/pkg/volume/rbd/rbd_util.go b/pkg/volume/rbd/rbd_util.go
+index 85044e85fde..9593348de37 100644
+--- a/src/import/pkg/volume/rbd/rbd_util.go
++++ b/src/import/pkg/volume/rbd/rbd_util.go
+@@ -592,9 +592,9 @@ func (util *RBDUtil) CreateImage(p *rbdVolumeProvisioner) (r *v1.RBDPersistentVo
+        volSz := fmt.Sprintf("%d", sz)
+        mon := util.kernelRBDMonitorsOpt(p.Mon)
+        if p.rbdMounter.imageFormat == rbdImageFormat2 {
+-               klog.V(4).Infof("rbd: create %s size %s format %s (features: %s) using mon %s, pool %s id %s key %s", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, p.rbdMounter.imageFeatures, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
++               klog.V(4).Infof("rbd: create %s size %s format %s (features: %s) using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, p.rbdMounter.imageFeatures, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
+        } else {
+-               klog.V(4).Infof("rbd: create %s size %s format %s using mon %s, pool %s id %s key %s", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
++               klog.V(4).Infof("rbd: create %s size %s format %s using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, volSz, p.rbdMounter.imageFormat, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
+        }
+        args := []string{"create", p.rbdMounter.Image, "--size", volSz, "--pool", p.rbdMounter.Pool, "--id", p.rbdMounter.adminId, "-m", mon, "--key=" + p.rbdMounter.adminSecret, "--image-format", p.rbdMounter.imageFormat}
+        if p.rbdMounter.imageFormat == rbdImageFormat2 {
+@@ -629,7 +629,7 @@ func (util *RBDUtil) DeleteImage(p *rbdVolumeDeleter) error {
+        }
+        // rbd rm.
+        mon := util.kernelRBDMonitorsOpt(p.rbdMounter.Mon)
+-       klog.V(4).Infof("rbd: rm %s using mon %s, pool %s id %s key %s", p.rbdMounter.Image, mon, p.rbdMounter.Pool, p.rbdMounter.adminId, p.rbdMounter.adminSecret)
++       klog.V(4).Infof("rbd: rm %s using mon %s, pool %s id %s key <masked>", p.rbdMounter.Image, mon, p.rbdMounter.Pool, p.rbdMounter.adminId)
+        output, err = p.exec.Command("rbd",
+                "rm", p.rbdMounter.Image, "--pool", p.rbdMounter.Pool, "--id", p.rbdMounter.adminId, "-m", mon, "--key="+p.rbdMounter.adminSecret).CombinedOutput()
+        if err == nil {
+@@ -661,7 +661,7 @@ func (util *RBDUtil) ExpandImage(rbdExpander *rbdVolumeExpander, oldSize resourc
+ 
+        // rbd resize.
+        mon := util.kernelRBDMonitorsOpt(rbdExpander.rbdMounter.Mon)
+-       klog.V(4).Infof("rbd: resize %s using mon %s, pool %s id %s key %s", rbdExpander.rbdMounter.Image, mon, rbdExpander.rbdMounter.Pool, rbdExpander.rbdMounter.adminId, rbdExpander.rbdMounter.adminSecret)
++       klog.V(4).Infof("rbd: resize %s using mon %s, pool %s id %s key <masked>", rbdExpander.rbdMounter.Image, mon, rbdExpander.rbdMounter.Pool, rbdExpander.rbdMounter.adminId)
+        output, err = rbdExpander.exec.Command("rbd",
+                "resize", rbdExpander.rbdMounter.Image, "--size", newVolSz, "--pool", rbdExpander.rbdMounter.Pool, "--id", rbdExpander.rbdMounter.adminId, "-m", mon, "--key="+rbdExpander.rbdMounter.adminSecret).CombinedOutput()
+        if err == nil {
+@@ -703,7 +703,7 @@ func (util *RBDUtil) rbdInfo(b *rbdMounter) (int, error) {
+        // # image does not exist (exit=2)
+        // rbd: error opening image 1234: (2) No such file or directory
+        //
+-       klog.V(4).Infof("rbd: info %s using mon %s, pool %s id %s key %s", b.Image, mon, b.Pool, id, secret)
++       klog.V(4).Infof("rbd: info %s using mon %s, pool %s id %s key <masked>", b.Image, mon, b.Pool, id)
+        output, err = b.exec.Command("rbd",
+                "info", b.Image, "--pool", b.Pool, "-m", mon, "--id", id, "--key="+secret, "-k=/dev/null", "--format=json").CombinedOutput()
+ 
+@@ -766,7 +766,7 @@ func (util *RBDUtil) rbdStatus(b *rbdMounter) (bool, string, error) {
+        // # image does not exist (exit=2)
+        // rbd: error opening image kubernetes-dynamic-pvc-<UUID>: (2) No such file or directory
+        //
+-       klog.V(4).Infof("rbd: status %s using mon %s, pool %s id %s key %s", b.Image, mon, b.Pool, id, secret)
++       klog.V(4).Infof("rbd: status %s using mon %s, pool %s id %s key <masked>", b.Image, mon, b.Pool, id)
+        cmd, err = b.exec.Command("rbd",
+                "status", b.Image, "--pool", b.Pool, "-m", mon, "--id", id, "--key="+secret).CombinedOutput()
+        output = string(cmd)
+-- 
+2.25.1
+
diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index c73f9882..2b0bfb7a 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -12,6 +12,8 @@ SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.17;name=k
            file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
            file://0001-cross-don-t-build-tests-by-default.patch \
            file://CVE-2020-8564.patch \
+           file://CVE-2020-8565.patch \
+           file://CVE-2020-8566.patch \
           "
 
 DEPENDS += "rsync-native \