Skip to content

chore: update azure/kubelogin to address CVE #20578

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 8, 2024
Merged

chore: update azure/kubelogin to address CVE #20578

merged 5 commits into from
Nov 8, 2024

Conversation

imjasonh
Copy link
Contributor

This PR attempts to update the project's dependency on github.com/Azure/kubelogin to the most recent version, which allows the project to update its dependency on github.com/Azure/azure-sdk-for-go/sdk/azidentity to a version that addresses a medium-severity CVE: GHSA-m5vv-6r4h-3vj9

I don't know whether this project is actually susceptible to this vulnerability, but it gets flagged for users of this project, and in general depending on very old releases of packages is not recommended -- this updates kubelogin from v0.0.20 (Aug 2022) to v0.1.4 (July this year)

The API has changed in breaking ways in the intervening ~2 years, and I assume this is part of the reason this old dependency has stuck around.

This is in part an update to #16661 -- I'm not sure if that PR should just be updated or if that's in some permanently stuck state.

Checklist:

  • [c] Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates? no
  • I've updated documentation as required by this PR. n/a
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged. n/a
  • [?] My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines. n/a
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@imjasonh imjasonh requested a review from a team as a code owner October 29, 2024 16:59
@bunnyshell Bunnyshell
Copy link

bunnyshell bot commented Oct 29, 2024
edited
Loading

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

  • 🚀 /bns:deploy to deploy the environment

@imjasonh
Copy link
Contributor Author

build-only CI failure seems to have failed flakily

ERROR: failed to solve: docker.io/library/node:23.0.0@sha256:e643c0b70dca9704dff42e12b17f5b719dbe4f95e6392fc2dfa0c5f02ea8044d: failed to resolve source metadata for docker.io/library/node:23.0.0@sha256:e643c0b70dca9704dff42e12b17f5b719dbe4f95e6392fc2dfa0c5f02ea8044d: failed to authorize: failed to fetch oauth token: unexpected status from POST request to https://auth.docker.io/token: 502 Bad Gateway

@blakepettersson
Copy link
Member

blakepettersson commented Nov 1, 2024
edited
Loading

@imjasonh the unit test failure is a real one, which I can consistently reproduce.

What worked for me was reverting some of the unrelated changes (we would still need to find the actual reason for the failure).

blakepettersson
blakepettersson reviewed Nov 1, 2024
View reviewed changes
Copy link
Member

@blakepettersson blakepettersson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added some changes to go.mod which makes the failing test pass (basically anything that's not directly related to kubelogin is reverted to its prior state for now), you'll then need to run go mod tidy afterwards.

@imjasonh
Copy link
Contributor Author

imjasonh commented Nov 1, 2024

Thanks @blakepettersson, I've updated the deps and ran go mod tidy, let me know if I missed anything.

@codecov Codecov
Copy link

codecov bot commented Nov 1, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 9 lines in your changes missing coverage. Please review.

Project coverage is 55.18%. Comparing base (36ef563) to head (53f9922).
Report is 392 commits behind head on master.

Files with missing lines Patch % Lines
cmd/argocd-k8s-auth/commands/azure.go 0.00% 9 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #20578      +/-   ##
==========================================
+ Coverage   55.10%   55.18%   +0.08%     
==========================================
  Files         324      324              
  Lines       55239    55259      +20     
==========================================
+ Hits        30439    30495      +56     
+ Misses      22180    22145      -35     
+ Partials     2620     2619       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@imjasonh
Copy link
Contributor Author

imjasonh commented Nov 1, 2024

Before this change (3625689):

govulncheck -show verbose ./...
Scanning your code and 2003 packages across 270 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

=== Package Results ===

Vulnerability #1: GO-2024-2918
    Azure Identity Libraries Elevation of Privilege Vulnerability in
    github.com/Azure/azure-sdk-for-go/sdk/azidentity
  More info: https://pkg.go.dev/vuln/GO-2024-2918
  Module: github.com/Azure/azure-sdk-for-go/sdk/azidentity
    Found in: github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.1.0
    Fixed in: github.com/Azure/azure-sdk-for-go/sdk/azidentity@v1.6.0

After this change (11ce485):

govulncheck -show verbose ./...
Scanning your code and 2015 packages across 269 dependent modules for known vulnerabilities...

Fetching vulnerabilities from the database...

Checking the code against the vulnerabilities...

=== Symbol Results ===

No vulnerabilities found.

=== Package Results ===

No other vulnerabilities found.

@blakepettersson
Copy link
Member

@imjasonh I'm no Azure expert - how has this been verified that this still works?

@imjasonh
Copy link
Contributor Author

imjasonh commented Nov 1, 2024

@imjasonh I'm no Azure expert - how has this been verified that this still works?

I haven't verified anything at all. I'm just basing this on the previous PR from the feature's author to get the dep updated.

If you have any simple instructions to test this, or an end-to-end test that I could run, I'd be happy to give it a shot.

@imjasonh
Copy link
Contributor Author

imjasonh commented Nov 1, 2024

@bcho is the previous PR's author, 11 months ago

bcho
bcho approved these changes Nov 1, 2024
View reviewed changes
Copy link

@bcho bcho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@blakepettersson
Copy link
Member

If you have any simple instructions to test this, or an end-to-end test that I could run, I'd be happy to give it a shot.

Sadly I do not know of any. I guess given that @bcho is one of the actual authors of kubelogin and works for Azure Cloud that it gives some reassurance that this should work. I'd pass your question along to bcho.

@imjasonh
update azure/kubelogin to address CVE
6a7c694 
Signed-off-by: Jason Hall <jason@chainguard.dev>
@imjasonh
actually emit token
584d578 
Signed-off-by: Jason Hall <jason@chainguard.dev>
@imjasonh
update deps, go mod tidy
2a6f80e 
Signed-off-by: Jason Hall <jason@chainguard.dev>
@imjasonh
Copy link
Contributor Author

imjasonh commented Nov 5, 2024
edited
Loading

Rebased and updated go mod tidy to resolve merge conflict.

@imjasonh
fix go.sum
d66e0a5 
Signed-off-by: Jason Hall <jason@chainguard.dev>
@bcho
Copy link

bcho commented Nov 5, 2024

Hi, thanks for the tag and the fix! - i am the contributor of kubelogin. I will try verify the change with an AKS cluster w/ entra id auth enabled tomorrow and report back here.

This was referenced Nov 5, 2024
Closed
Closed
bcho
bcho reviewed Nov 6, 2024
View reviewed changes
cmd/argocd-k8s-auth/commands/azure.go Outdated
o.UpdateFromEnv()
o := token.OptionsWithEnv()
// we'll use default of WorkloadIdentityLogin for the login flow
o.LoginMethod = token.WorkloadIdentityLogin
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This backfill breaks the behavior. The previous code is to set the default value for LoginMethod to "WorkloadIdentityLogin", then override with environment variable when "AAD_LOGIN_METHOD" is set. But the new implementation here is to force the LoginMethod to use only WorkloadIdentity.

I think a proper way to do that is like this:

o := token.OptionsWithEnv()
if o.LoginMethod == "" { // no environment variable overrides
  // we'll use default of WorkloadIdentityLogin for the login flow
  o.LoginMethod = token.WorkloadIdentityLogin
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I've applied this suggestion, please take a look.

@bcho
Copy link

bcho commented Nov 6, 2024

I have verified above code from a test env against an AAD + workload identity enabled AKS cluster. It worked after applying above changes for updating the backfill behavior for both devicelogin / msi / workload identity login method.

@imjasonh
bcho's suggestion
53f9922 
Signed-off-by: Jason Hall <jason@chainguard.dev>
@blakepettersson blakepettersson added the ready-for-review An approver should give a final review and merge the PR label Nov 7, 2024
blakepettersson
blakepettersson approved these changes Nov 7, 2024
View reviewed changes
Copy link
Member

@blakepettersson blakepettersson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your review, @bcho! LGTM

bcho
bcho approved these changes Nov 7, 2024
View reviewed changes
Copy link

@bcho bcho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@imjasonh
Copy link
Contributor Author

imjasonh commented Nov 8, 2024

Thanks @blakepettersson and @bcho!

It looks like this still needs approval from an owner with write access. To avoid needing to keep this up to date (as go.mod is a fast-changing file), is there someone we could poke to get this merged soon? 🙏

@crenshaw-dev crenshaw-dev merged commit 4776e48 into argoproj:master Nov 8, 2024
32 checks passed
@crenshaw-dev
Copy link
Member

Since it's only medium severity, I don't plan to backport the fix. It'll go out with 2.14. Thanks all!

@blakepettersson blakepettersson mentioned this pull request Nov 8, 2024
Closed
14 tasks
adriananeci pushed a commit to adriananeci/argo-cd that referenced this pull request Dec 4, 2024
@imjasonh @adriananeci
chore: update azure/kubelogin to address CVE (argoproj#20578)
ff88dbf 
* update azure/kubelogin to address CVE

Signed-off-by: Jason Hall <jason@chainguard.dev>

* actually emit token

Signed-off-by: Jason Hall <jason@chainguard.dev>

* update deps, go mod tidy

Signed-off-by: Jason Hall <jason@chainguard.dev>

* fix go.sum

Signed-off-by: Jason Hall <jason@chainguard.dev>

* bcho's suggestion

Signed-off-by: Jason Hall <jason@chainguard.dev>

---------

Signed-off-by: Jason Hall <jason@chainguard.dev>
Signed-off-by: Adrian Aneci <aneci@adobe.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crenshaw-dev crenshaw-dev crenshaw-dev approved these changes

@blakepettersson blakepettersson blakepettersson approved these changes

@rumstead rumstead rumstead approved these changes

+2 more reviewers

@bcho bcho bcho approved these changes

@hectorj2f hectorj2f hectorj2f approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
ready-for-review An approver should give a final review and merge the PR
Projects
Argo CD Review
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@imjasonh @blakepettersson @bcho @crenshaw-dev @hectorj2f @rumstead