Skip to content

Commit d5b8cb3

Browse files
Merge pull request #2416 from kevinrizza/bump-1.33.4
OCPBUGS-60507: Bump 1.33.4
2 parents 62e9648 + a0ef218 commit d5b8cb3

File tree

17 files changed

+315
-305
lines changed

17 files changed

+315
-305
lines changed

.go-version

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
1.24.4
1+
1.24.5

CHANGELOG/CHANGELOG-1.33.md

Lines changed: 165 additions & 58 deletions
Large diffs are not rendered by default.

build/build-image/cross/VERSION

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
v1.33.0-go1.24.4-bullseye.0
1+
v1.33.0-go1.24.5-bullseye.0

build/common.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -97,8 +97,8 @@ readonly KUBE_RSYNC_PORT="${KUBE_RSYNC_PORT:-}"
9797
readonly KUBE_CONTAINER_RSYNC_PORT=8730
9898

9999
# These are the default versions (image tags) for their respective base images.
100-
readonly __default_distroless_iptables_version=v0.7.6
101-
readonly __default_go_runner_version=v2.4.0-go1.24.4-bookworm.0
100+
readonly __default_distroless_iptables_version=v0.7.7
101+
readonly __default_go_runner_version=v2.4.0-go1.24.5-bookworm.0
102102
readonly __default_setcap_version=bookworm-v1.0.4
103103

104104
# These are the base images for the Docker-wrapped binaries.

build/dependencies.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,7 @@ dependencies:
116116

117117
# Golang
118118
- name: "golang: upstream version"
119-
version: 1.24.4
119+
version: 1.24.5
120120
refPaths:
121121
- path: .go-version
122122
- path: build/build-image/cross/VERSION
@@ -139,7 +139,7 @@ dependencies:
139139
match: minimum_go_version=go([0-9]+\.[0-9]+)
140140

141141
- name: "registry.k8s.io/kube-cross: dependents"
142-
version: v1.33.0-go1.24.4-bullseye.0
142+
version: v1.33.0-go1.24.5-bullseye.0
143143
refPaths:
144144
- path: build/build-image/cross/VERSION
145145

@@ -177,15 +177,15 @@ dependencies:
177177
match: registry\.k8s\.io\/build-image\/debian-base:[a-zA-Z]+\-v((([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)
178178

179179
- name: "registry.k8s.io/distroless-iptables: dependents"
180-
version: v0.7.6
180+
version: v0.7.7
181181
refPaths:
182182
- path: build/common.sh
183183
match: __default_distroless_iptables_version=
184184
- path: test/utils/image/manifest.go
185185
match: configs\[DistrolessIptables\] = Config{list\.BuildImageRegistry, "distroless-iptables", "v([0-9]+)\.([0-9]+)\.([0-9]+)"}
186186

187187
- name: "registry.k8s.io/go-runner: dependents"
188-
version: v2.4.0-go1.24.4-bookworm.0
188+
version: v2.4.0-go1.24.5-bookworm.0
189189
refPaths:
190190
- path: build/common.sh
191191
match: __default_go_runner_version=

openshift-hack/e2e/annotate/generated/zz_generated.annotations.go

Lines changed: 0 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

openshift-hack/images/hyperkube/Dockerfile.rhel

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,4 +14,4 @@ COPY --from=builder /tmp/build/* /usr/bin/
1414
LABEL io.k8s.display-name="OpenShift Kubernetes Server Commands" \
1515
io.k8s.description="OpenShift is a platform for developing, building, and deploying containerized applications." \
1616
io.openshift.tags="openshift,hyperkube" \
17-
io.openshift.build.versions="kubernetes=1.33.3"
17+
io.openshift.build.versions="kubernetes=1.33.4"

plugin/pkg/admission/noderestriction/admission.go

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -536,6 +536,11 @@ func (p *Plugin) admitNode(nodeName string, a admission.Attributes) error {
536536
return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify taints", nodeName))
537537
}
538538

539+
// Don't allow a node to update its own ownerReferences.
540+
if !apiequality.Semantic.DeepEqual(node.OwnerReferences, oldNode.OwnerReferences) {
541+
return admission.NewForbidden(a, fmt.Errorf("node %q is not allowed to modify ownerReferences", nodeName))
542+
}
543+
539544
// Don't allow a node to update labels outside the allowed set.
540545
// This would allow a node to add or modify its labels in a way that would let it steer privileged workloads to itself.
541546
modifiedLabels := getModifiedLabels(node.Labels, oldNode.Labels)

plugin/pkg/admission/noderestriction/admission_test.go

Lines changed: 30 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -260,10 +260,14 @@ func (a *admitTestCase) run(t *testing.T) {
260260

261261
func Test_nodePlugin_Admit(t *testing.T) {
262262
var (
263-
mynode = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}}
264-
bob = &user.DefaultInfo{Name: "bob"}
263+
trueRef = true
264+
mynode = &user.DefaultInfo{Name: "system:node:mynode", Groups: []string{"system:nodes"}}
265+
bob = &user.DefaultInfo{Name: "bob"}
266+
267+
mynodeObjMeta = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid"}
268+
mynodeObjMetaOwnerRefA = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid", OwnerReferences: []metav1.OwnerReference{{Name: "fooerA", Controller: &trueRef}}}
269+
mynodeObjMetaOwnerRefB = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid", OwnerReferences: []metav1.OwnerReference{{Name: "fooerB", Controller: &trueRef}}}
265270

266-
mynodeObjMeta = metav1.ObjectMeta{Name: "mynode", UID: "mynode-uid"}
267271
mynodeObj = &api.Node{ObjectMeta: mynodeObjMeta}
268272
mynodeObjConfigA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{ConfigSource: &api.NodeConfigSource{
269273
ConfigMap: &api.ConfigMapNodeConfigSource{
@@ -280,9 +284,11 @@ func Test_nodePlugin_Admit(t *testing.T) {
280284
KubeletConfigKey: "kubelet",
281285
}}}}
282286

283-
mynodeObjTaintA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}}
284-
mynodeObjTaintB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}}
285-
othernodeObj = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
287+
mynodeObjTaintA = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "A"}}}}
288+
mynodeObjTaintB = &api.Node{ObjectMeta: mynodeObjMeta, Spec: api.NodeSpec{Taints: []api.Taint{{Key: "mykey", Value: "B"}}}}
289+
mynodeObjOwnerRefA = &api.Node{ObjectMeta: mynodeObjMetaOwnerRefA}
290+
mynodeObjOwnerRefB = &api.Node{ObjectMeta: mynodeObjMetaOwnerRefB}
291+
othernodeObj = &api.Node{ObjectMeta: metav1.ObjectMeta{Name: "othernode"}}
286292

287293
coremymirrorpod, v1mymirrorpod = makeTestPod("ns", "mymirrorpod", "mynode", true)
288294
coreothermirrorpod, v1othermirrorpod = makeTestPod("ns", "othermirrorpod", "othernode", true)
@@ -1222,6 +1228,24 @@ func Test_nodePlugin_Admit(t *testing.T) {
12221228
attributes: admission.NewAttributesRecord(setForbiddenUpdateLabels(mynodeObj, "new"), setForbiddenUpdateLabels(mynodeObj, "old"), nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
12231229
err: `is not allowed to modify labels: foo.node-restriction.kubernetes.io/foo, node-restriction.kubernetes.io/foo, other.k8s.io/foo, other.kubernetes.io/foo`,
12241230
},
1231+
{
1232+
name: "forbid update of my node: add owner reference",
1233+
podsGetter: existingPods,
1234+
attributes: admission.NewAttributesRecord(mynodeObjOwnerRefA, mynodeObj, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
1235+
err: "node \"mynode\" is not allowed to modify ownerReferences",
1236+
},
1237+
{
1238+
name: "forbid update of my node: remove owner reference",
1239+
podsGetter: existingPods,
1240+
attributes: admission.NewAttributesRecord(mynodeObj, mynodeObjOwnerRefA, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
1241+
err: "node \"mynode\" is not allowed to modify ownerReferences",
1242+
},
1243+
{
1244+
name: "forbid update of my node: change owner reference",
1245+
podsGetter: existingPods,
1246+
attributes: admission.NewAttributesRecord(mynodeObjOwnerRefA, mynodeObjOwnerRefB, nodeKind, mynodeObj.Namespace, mynodeObj.Name, nodeResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
1247+
err: "node \"mynode\" is not allowed to modify ownerReferences",
1248+
},
12251249

12261250
// Other node object
12271251
{

staging/publishing/rules.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2901,4 +2901,4 @@ rules:
29012901
- staging/src/k8s.io/externaljwt
29022902
recursive-delete-patterns:
29032903
- '*/.gitattributes'
2904-
default-go-version: 1.24.4
2904+
default-go-version: 1.24.5

0 commit comments

Comments
 (0)