GithubHelp home page GithubHelp logo

f5devcentral / container-egress-service Goto Github PK

View Code? Open in Web Editor NEW
16.0 7.0 5.0 14.78 MB

A controller(CES) for controlling container egress traffic. Working with F5 AFM.

License: Apache License 2.0

Makefile 0.69% Go 98.09% Shell 1.22%
ces egress-gateway dynamic-firewall afm network-policy

container-egress-service's Introduction

CES

standard-readme compliant Action Build Status Docker pull Issues Stars Go License

CES is a solution. It is used to help users manage the outgoing traffic of k8s pod/container better. It solves the challenge of outgoing traffic policy control in high dynamic IP scenarios in k8s native way, and provides a wealth of outgoing control capability. And through the hierarchical design, it solves the multi-role coordination problem among enterprise security, network, platform, and application operation departments.

Table of Contents

Background

Kubernetes is piloting projects transition to enterprise-wide application rollouts, companies must be able to extend their existing enterprise security architecture into the Kubernetes environment. There are 2 challenges here. One is technology, how enterprise security devices to work in high dynamic IP environment. This will introduces additional complexity and risk to traditional process. The second one is the blurry work boundary between enterprise security team, network team, platform team and application team. Security is not the responsibility of one team, it is shared. Security team/network team, platform and application team all should get its role and benefit from this shared mode.

CES is a solution help customers to resolve the above 2 challenges. It provides k8s native way to k8s egress traffic policy tuning. Working with F5 AFM.

By running CES controller in k8s, it will automatcially create policy rules into F5 AFM. No matter IP change or scaled.

By scoped policy designment, Security/network team, platform team, application team all can participate into the policy setting. Policy management can be delegated or centralized, follow container platform's RBAC.

scoped CRD

Install

  1. Download the installation script
wget https://raw.githubusercontent.com/f5devcentral/container-egress-service/master/dist/install.sh
  1. Edit the install.sh script, edit the following variable values according to the actual environment. For detail, check the wiki

Usage

  • Please check the Wiki for different usages.

  • Check Youtube or China Bilibili for video demos. Click here.

Building

Docker image:

#GO_VERSION = 1.16
git clone https://github.com/f5devcentral/container-egress-service.git
cd container-egress-service
make release

Challenges solved

  • High-frequency changes in outbound traffic caused by container IP dynamics
  • Different role groups have different requirements for the scope setting of the policy, and the policy needs to match the role in multiple dimensions
  • Dynamic bandwidth limit requirements for outbound traffic
  • Protocol in-depth security inspection requirements
  • Advanced requirements for flow programmable based on access control events
  • Visualization requirements for outbound traffic

Capabilities

  • Dynamic IP ACL control with Cluster/Pod/NS granularity
  • Cluster/Pod/NS granular FQDN ACL control
  • Time-based access control
  • Matched flow event trigger and programmable
  • Matched traffic redirection
  • Protocol security and compliance testing
  • IP intelligence
  • Traffic matching log
  • Traffic matching visualization report
  • Protocol detection visual report
  • TCP/IP Errors report
  • NAT control and logging
  • Data flow visualization tracking
  • Visual simulation of access rules
  • Transparent detection mode
  • High-speed log outgoing

Documents

Check Release notes.

Check the Wiki first.

Support

For support, please open a GitHub issue. Note, the code in this repository is community supported and is not supported by F5. For a complete list of supported projects please reference SUPPORT.md.

Community Code of Conduct

Please refer to the F5 DevCentral Community Code of Conduct.

Contact

[email protected]

License

Apache License 2.0

container-egress-service's People

Contributors

myf5 avatar wenbindeng avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

hack0072008 wenbindeng ermuermu int2ecall raphael1688

container-egress-service's Issues

CVE-2020-26160

Describe the bug
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

To Reproduce
Steps to reproduce the behavior:

  1. Go to '...'

Expected behavior
Ensure fix is present: dgrijalva/jwt-go#426

CVE-2022-29526

CVE-2022-29526 Published: June 23, 2022; 1:15:12 PM -0400 V3.1: 5.3 MEDIUM V2.0: 5.0 MEDIUM

Go before 1.17.10 and 1.18.x before 1.18.2 has Incorrect Privilege Assignment. When called with a non-zero flags parameter, the Faccessat function could incorrectly report that a file is accessible.

To Reproduce

container-egress-service/go.sum

Line 502 in 3e8f64b

golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= 

golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20181026203630-95b1ffbd15a5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201112073958-5cba982894dd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210220050731-9a76102bfb43/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210305230114-8fe3ee5dd75b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210315160823-c6e025ad8005/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210510120138-977fb7262007 h1:gG67DSER+11cZvqIMb8S8bt0vZtiN6xWYARwirrOSfE=
golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

Expected behavior

golang.org/x/sys 0.0.0-20220412211240-33da011f77ad or newer

Additional context

golang: syscall: faccessat checks wrong group

in release 0.5.1, with default configmap templete of ces, the port number of log pool server will be set to "0".

ces release: 0.5.1
in ces configmap templete, the log pool server address entry does not contain port setting, for example:

    logPool:
      loggingEnabled: true
      enableRemoteLog: true
      serverAddresses:
        - "10.0.30.106"

in this case, the port number of log pool server in bigip will be set to "0".

It is recommended to add the log pool server's port settings in ces configmap so that the user can define it according to their own environment.

Egress rate limiting / English wiki

The wiki is only partially available in english so it's quite difficult to determine if my use case is covered by f5.

Roughly I am looking for a way to apply egress rate-limiting (not the same as bandwidth) from pods in the cluster towards rate limited external services.

This is to avoid being blocked by these external services, where multiple pods can make calls to them using a single tenant and therefore limited by the same pool.

Example:
ExternalService = 30 calls per minute. More than that calls get blocked for an unknown amount of time, causing unavailability for long periods.

Egress Rate limiting

Pod1
Pod2 -=== calls ===> ExternalService
Pod3 /

if calls >= 20 minute, never make the call to ExternalService and return 429.

This is the feature I am looking for.

ces deployment's name can not be set to other than "ces-controller"

when applying ces deployment, if the ces deployment's name is not "ces-controller", the ces pod will go to "Error" state with log "failed to get deploy[ces-controller]". Here are the details:

  1. ces image:f5devcentral/ces-controller:0.5.2
  2. error log:
W1229 09:48:44.552385       1 client_config.go:614] Neither --kubeconfig nor --master was specified.  Using the inClusterConfig.  This might not work.
F1229 09:48:44.606279       1 main.go:108] failed to get deploy[ces-controller]
goroutine 1 [running]:
k8s.io/klog/v2.stacks(0xc0001a8001, 0xc0000c4000, 0x50, 0xe2)
        /home/runner/work/container-egress-service/container-egress-service/vendor/k8s.io/klog/v2/klog.go:1026 +0xb9
k8s.io/klog/v2.(*loggingT).output(0x222a280, 0xc000000003, 0x0, 0x0, 0xc0000ba000, 0x0, 0x1bc7aaa, 0x7, 0x6c, 0x0)
        /home/runner/work/container-egress-service/container-egress-service/vendor/k8s.io/klog/v2/klog.go:975 +0x1e5
k8s.io/klog/v2.(*loggingT).printf(0x222a280, 0xc000000003, 0x0, 0x0, 0x0, 0x0, 0x171685e, 0x18, 0xc0000ff1f0, 0x1, ...)
        /home/runner/work/container-egress-service/container-egress-service/vendor/k8s.io/klog/v2/klog.go:753 +0x19a
k8s.io/klog/v2.Fatalf(...)
        /home/runner/work/container-egress-service/container-egress-service/vendor/k8s.io/klog/v2/klog.go:1514
main.main()
        /home/runner/work/container-egress-service/container-egress-service/cmd/ces/main.go:108 +0x1379

goroutine 18 [chan receive]:
k8s.io/klog/v2.(*loggingT).flushDaemon(0x222a280)
        /home/runner/work/container-egress-service/container-egress-service/vendor/k8s.io/klog/v2/klog.go:1169 +0x8b
created by k8s.io/klog/v2.init.0
        /home/runner/work/container-egress-service/container-egress-service/vendor/k8s.io/klog/v2/klog.go:420 +0xdf

goroutine 33 [syscall]:
os/signal.signal_recv(0x0)
        /opt/hostedtoolcache/go/1.16.12/x64/src/runtime/sigqueue.go:168 +0xa5
os/signal.loop()
        /opt/hostedtoolcache/go/1.16.12/x64/src/os/signal/signal_unix.go:23 +0x25
created by os/signal.Notify.func1.1
        /opt/hostedtoolcache/go/1.16.12/x64/src/os/signal/signal.go:151 +0x45

goroutine 34 [chan receive]:
github.com/kubeovn/ces-controller/pkg/signals.SetupSignalHandler.func1(0xc0003bdb60, 0xc000182d80)
        /home/runner/work/container-egress-service/container-egress-service/pkg/signals/signal.go:36 +0x34
created by github.com/kubeovn/ces-controller/pkg/signals.SetupSignalHandler
        /home/runner/work/container-egress-service/container-egress-service/pkg/signals/signal.go:35 +0xd1

goroutine 7 [IO wait]:
internal/poll.runtime_pollWait(0x7fcbab29c498, 0x72, 0xffffffffffffffff)
        /opt/hostedtoolcache/go/1.16.12/x64/src/runtime/netpoll.go:227 +0x55
internal/poll.(*pollDesc).wait(0xc0000b4218, 0x72, 0x900, 0x9ca, 0xffffffffffffffff)
        /opt/hostedtoolcache/go/1.16.12/x64/src/internal/poll/fd_poll_runtime.go:87 +0x45
internal/poll.(*pollDesc).waitRead(...)
        /opt/hostedtoolcache/go/1.16.12/x64/src/internal/poll/fd_poll_runtime.go:92
internal/poll.(*FD).Read(0xc0000b4200, 0xc00012c000, 0x9ca, 0x9ca, 0x0, 0x0, 0x0)
        /opt/hostedtoolcache/go/1.16.12/x64/src/internal/poll/fd_unix.go:166 +0x1d5
net.(*netFD).Read(0xc0000b4200, 0xc00012c000, 0x9ca, 0x9ca, 0x906, 0xc00012c0bf, 0x5)
        /opt/hostedtoolcache/go/1.16.12/x64/src/net/fd_posix.go:55 +0x4f
net.(*conn).Read(0xc00000e010, 0xc00012c000, 0x9ca, 0x9ca, 0x0, 0x0, 0x0)
        /opt/hostedtoolcache/go/1.16.12/x64/src/net/net.go:183 +0x91
crypto/tls.(*atLeastReader).Read(0xc00000c600, 0xc00012c000, 0x9ca, 0x9ca, 0x906, 0xc000088000, 0x0)
        /opt/hostedtoolcache/go/1.16.12/x64/src/crypto/tls/conn.go:776 +0x63
bytes.(*Buffer).ReadFrom(0xc000112278, 0x18cd680, 0xc00000c600, 0x40b6a5, 0x156f560, 0x16a9340)
        /opt/hostedtoolcache/go/1.16.12/x64/src/bytes/buffer.go:204 +0xbe
crypto/tls.(*Conn).readFromUntil(0xc000112000, 0x18cf920, 0xc00000e010, 0x5, 0xc00000e010, 0x96)
        /opt/hostedtoolcache/go/1.16.12/x64/src/crypto/tls/conn.go:798 +0xf3
crypto/tls.(*Conn).readRecordOrCCS(0xc000112000, 0x0, 0x0, 0x0)
        /opt/hostedtoolcache/go/1.16.12/x64/src/crypto/tls/conn.go:605 +0x115
crypto/tls.(*Conn).readRecord(...)
        /opt/hostedtoolcache/go/1.16.12/x64/src/crypto/tls/conn.go:573
crypto/tls.(*Conn).Read(0xc000112000, 0xc00014f000, 0x1000, 0x1000, 0x0, 0x0, 0x0)
        /opt/hostedtoolcache/go/1.16.12/x64/src/crypto/tls/conn.go:1276 +0x165
bufio.(*Reader).Read(0xc00014a120, 0xc0001382d8, 0x9, 0x9, 0x8eea6b, 0xc0004a9c78, 0x406fa5)
        /opt/hostedtoolcache/go/1.16.12/x64/src/bufio/bufio.go:227 +0x222
io.ReadAtLeast(0x18cd520, 0xc00014a120, 0xc0001382d8, 0x9, 0x9, 0x9, 0xc000175100, 0x14c3f45ad5db00, 0xc000175100)
        /opt/hostedtoolcache/go/1.16.12/x64/src/io/io.go:328 +0x87
io.ReadFull(...)
        /opt/hostedtoolcache/go/1.16.12/x64/src/io/io.go:347
golang.org/x/net/http2.readFrameHeader(0xc0001382d8, 0x9, 0x9, 0x18cd520, 0xc00014a120, 0x0, 0x0, 0x0, 0x0)
        /home/runner/work/container-egress-service/container-egress-service/vendor/golang.org/x/net/http2/frame.go:237 +0x89
golang.org/x/net/http2.(*Framer).ReadFrame(0xc0001382a0, 0xc000110960, 0x0, 0x0, 0x0)
        /home/runner/work/container-egress-service/container-egress-service/vendor/golang.org/x/net/http2/frame.go:492 +0xa5
golang.org/x/net/http2.(*clientConnReadLoop).run(0xc0004a9fa8, 0x0, 0x0)
        /home/runner/work/container-egress-service/container-egress-service/vendor/golang.org/x/net/http2/transport.go:1816 +0xd8
golang.org/x/net/http2.(*ClientConn).readLoop(0xc000001680)
        /home/runner/work/container-egress-service/container-egress-service/vendor/golang.org/x/net/http2/transport.go:1738 +0x6f
created by golang.org/x/net/http2.(*Transport).newClientConn
        /home/runner/work/container-egress-service/container-egress-service/vendor/golang.org/x/net/http2/transport.go:694 +0x6c5
  1. ces deployment yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ces-controller-test
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: ces-controller
  template:
    metadata:
      labels:
        app: ces-controller
    spec:
      nodeSelector: 
        kubernetes.io/hostname: node2
      serviceAccountName: ces-controller
      containers:
        - name: ces-controller
          image: f5devcentral/ces-controller:0.5.2
          imagePullPolicy: IfNotPresent
          resources:
            requests:
              cpu: '1'
              memory: 1Gi
            limits:
              cpu: '1'
              memory: 1Gi
          command:
            - /ces-controller
            - --bigip-url=10.0.30.78
            - --bigip-insecure=true
            - --bigip-creds-dir=/ces/bigip-creds
            - --bigip-conf-dir=/ces
            - --v=3
          volumeMounts:
            - name: bigip-creds
              mountPath: "/ces/bigip-creds"
              readOnly: true
            - name: bigip-config
              mountPath: /ces
              readOnly: true
      volumes:
        - name: bigip-creds
          secret:
            secretName: bigip-creds
        - name: bigip-config
          configMap:
            name: ces-controller-configmap
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      terminationGracePeriodSeconds: 30

CVE-2022-27191

CVE-2022-27191 Published: March 18, 2022; 3:15:06 AM -0400 | V3.1: 7.5 HIGH V2.0: 4.3

The golang.org/x/crypto/ssh package before 0.0.0-20220314234659-1baeb1ce4c0b for Go allows an attacker to crash a server in certain circumstances involving AddHostKey.

Observed:

container-egress-service/go.sum

Line 340 in 83fb7c3

golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= 

golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0 h1:hb9wdF1z5waM+dSIICn1l0DkLVDT3hqhhQsDNUmHPRE=
golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=

Expected: The golang.org/x/crypto dependency should be upgraded to at least 0.0.0-20220314234659-1baeb1ce4c0b

CVE-2021-44716

CVE-2021-44716 Published: January 01, 2022; 12:15:08 AM -0500 V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM

net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

To Reproduce

container-egress-service/go.sum

Line 428 in 3e8f64b

golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= 

golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181023162649-9b4f9f5ad519/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181201002055-351d144fa1fc/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2 h1:CIJ76btIcR3eFI5EgSo6k1qKw9KJexJuRLI9G7Hp5wE=
golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=

Expected behavior

golang.org/x/net 0.0.0-20211209124913-491a49abca63 or higher

CVE-2019-19794

container-egress-service/go.sum

Line 253 in 83fb7c3

github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=

github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=

CVE-2019-19794 .Published: December 13, 2019; 5:15:11 PM -0500 | V3.1: 5.9 MEDIUMV 2.0: 4.3 MEDIUM

The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries

Suggestion: Upgrade dependency github.com/miekg/dns to at least 1.1.25.

Modifying the ExternalService configuration will affect the corresponding ServiceEgressRule setting

I have a ExternalService and a corresponding ServiceEgressRule, like this:

CES release: 0.5.3:
ExternalService:
kind: ExternalService
apiVersion: kubeovn.io/v1alpha1
metadata:
   name: es-test
   namespace: default
spec:
  addresses:
    - 10.1.1.1
  ports:
    - name: tcp-443
      protocol: TCP
      port: "443"

ServiceEgressRule:
apiVersion: kubeovn.io/v1alpha1
kind: ServiceEgressRule
metadata:
  name: ser-test
  namespace: default
spec:
  service: nginx-service-root
  action: accept-decisively
  logging: true
  externalServices:
    - es-test
  logging: true

After modifying the ServiceEgressRule configuration and applying the change, for example change the "address“ from "10.1.1.1" to "10.1.1.2 and 10.1.1.2", the "source" setting of the corresponding ServiceEgressRule in AFM will be changed to "Any", like this:

before:
image

after:
image

Thanks.

outbound_vs ARP disabled by default is better

In version 0.5.0, the outbound_vs virtual address APR is enabled by default, it will interfere all other Non-k8s traffic.

To Reproduce
Steps to reproduce the behavior:

  1. create egress policy in K8S
  2. F5 outbound_vs created automatically
  3. 0.0.0.0 virtual address ARP is enabled by default
  4. F5 listen to all traffic and interfere all non-k8s traffic (include inbound and outbound)

Expected behavior
0.0.0.0 virtual address ARP should be disabled by default

Environment (please complete the following information):

  • CNI Name and version: Calico v3.21.2
  • F5 BIG-IP version: BIG-IP 15.1.4.1 Build 0.0.15 Point Release 1
  • AS3 version: 3.29
  • CES version:0.5.0
  • k8s version:1.18.1

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.