Skip to content

Controller: Several security fixes. #13070

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Mar 24, 2025
Merged

Controller: Several security fixes. #13070

merged 5 commits into from
Mar 24, 2025

Conversation

Gacko
Copy link
Member

@Gacko Gacko commented Mar 24, 2025

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Gacko

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 24, 2025
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 24, 2025
@Gacko Gacko force-pushed the tghks branch 2 times, most recently from e0dc78b to dc07fc8 Compare March 24, 2025 19:43
@Gacko
Copy link
Member Author

Gacko commented Mar 24, 2025

/triage accepted
/kind bug
/priority important-soon

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-priority labels Mar 24, 2025
@Gacko Gacko added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 24, 2025
@k8s-ci-robot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 24, 2025
@Gacko Gacko force-pushed the tghks branch 2 times, most recently from 60d09aa to 7234a62 Compare March 24, 2025 21:20
@Gacko Gacko added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 24, 2025
@k8s-ci-robot k8s-ci-robot merged commit e6716b1 into kubernetes:release-1.11 Mar 24, 2025
26 checks passed
@Gacko Gacko deleted the tghks branch March 24, 2025 23:00
@bm1216
Copy link

bm1216 commented Mar 25, 2025

Sorry if this is ignorant - but will this fix be backported to controller-1.10?

@Gacko
Copy link
Member Author

Gacko commented Mar 25, 2025

This is not arrogant, no worries.

v1.10 has been discontinued with the release of v1.12. We normally only maintain main, a current release train and this release minus 1. Therefore eligible fixes get ported to the related release-* branches.

Since v1.10 already go discontinued some time ago, we cannot release a v1.10.7, even if we wanted, because it's not only missing the relevant security fixes, but also tons of other back-ported changes like dependency updates or code maintenance.

@zengyuxing007
Copy link
Contributor

Directly disabed nginx -t might be simplistic and risky. Without the validation provided by nginx -t, changes to the ingress configuration could lead to the nginx process failing to load the updated configuration. In the event of a restart, the nginx ingress pod could crash outright.

@zengyuxing007
Copy link
Contributor

Separating the Controller and Nginx components into different pods should resolve this issue. Decoupling the Controller and Nginx into separate pods can also fix other problems that may arise from having them co-located in the same pod.

It seems like this was mentioned in 2024 roadmap. I'm not sure if it's still in the plans at the moment.

@sepich sepich mentioned this pull request Mar 27, 2025
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@strongjz strongjz Awaiting requested review from strongjz

@tao12345666333 tao12345666333 Awaiting requested review from tao12345666333

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Gacko @k8s-ci-robot @bm1216 @zengyuxing007 @tabbysable