Affected by GO-2022-0617 and 9 other vulnerabilities

GO-2022-0617: WITHDRAWN: Potential proxy IP restriction bypass in Kubernetes in k8s.io/kubernetes

GO-2023-1891: Vulnerable to policy bypass in kube-apiserver in k8s.io/kubernetes

GO-2023-1892: Kubernetes mountable secrets policy bypass in k8s.io/kubernetes

GO-2023-2341: Kubernetes Improper Input Validation vulnerability in k8s.io/kubernetes

GO-2024-2994: Kubernetes sets incorrect permissions on Windows containers logs in k8s.io/kubernetes

GO-2025-3521: Kubernetes GitRepo Volume Inadvertent Local Repository Access in k8s.io/kubernetes

GO-2025-3522: Kubernetes allows Command Injection affecting Windows nodes via nodes/*/logs/query API in k8s.io/kubernetes

GO-2025-3547: Kubernetes kube-apiserver Vulnerable to Race Condition in k8s.io/kubernetes

GO-2025-3915: Kubernetes Nodes can delete themselves by adding an OwnerReference in k8s.io/kubernetes

GO-2025-4240: Half-blind Server Side Request Forgery in kube-controller-manager through in-tree Portworx StorageClass in k8s.io/kubernetes

subjectrestriction

package

v1.27.2 Latest Latest Go to latest Published: May 17, 2023 License: Apache-2.0 Imports: 7 Imported by: 6

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/kubernetes/kubernetes

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func Register(plugins *admission.Plugins)
type Plugin
- func NewPlugin() *Plugin
- func (p *Plugin) Validate(_ context.Context, a admission.Attributes, _ admission.ObjectInterfaces) error
- func (p *Plugin) ValidateInitialization() error

Constants ¶

View Source

const PluginName = "CertificateSubjectRestriction"

PluginName is a string with the name of the plugin

Variables ¶

This section is empty.

Functions ¶

func Register ¶

func Register(plugins *admission.Plugins)

Register registers the plugin

Types ¶

type Plugin ¶

type Plugin struct {
	*admission.Handler
}

Plugin holds state for and implements the admission plugin.

func NewPlugin ¶

func NewPlugin() *Plugin

NewPlugin constructs a new instance of the CertificateSubjectRestrictions admission interface.

func (*Plugin) Validate ¶

func (p *Plugin) Validate(_ context.Context, a admission.Attributes, _ admission.ObjectInterfaces) error

Validate ensures that if the signerName on a CSR is set to `kubernetes.io/kube-apiserver-client`, that its organization (group) attribute is not set to `system:masters`.

func (*Plugin) ValidateInitialization ¶

func (p *Plugin) ValidateInitialization() error

ValidateInitialization always returns nil.

Source Files ¶

View all Source files

admission.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL