upgrade to latest dependencies (#1770)

bumping knative.dev/serving 897b61a...484e848:
  > 484e848 upgrade to latest dependencies (# 13646)
  > 1e27b7a Update net-contour nightly (# 13643)
  > 43af7f1 Update net-istio nightly (# 13644)
  > eb96c59 Update net-kourier nightly (# 13641)
  > 412cf1c Update net-certmanager nightly (# 13640)
  > 2215dfe Update net-gateway-api nightly (# 13642)
  > 0360850 Add secure-pod-defaults flag to default Pods to 'restricted' profile by default (# 13398)
bumping knative.dev/eventing 7e899fd...4d6e1fc:
  > 4d6e1fc Change subscription patch logic to ensure resource version (# 6670)
  > 74e165a APIServerSource with selector to target namespaces (# 6665)
  > 1f9f4d3 Log stream from system namespace in upgrade tests (# 6699)
  > 466d123 Fix reconciler-tests Prow job (# 6694)
  > bd67450 Populate a Subscriptions subscriber and reply namespace only if not set already (# 6671)

Signed-off-by: Knative Automation <automation@knative.team>

Signed-off-by: Knative Automation <automation@knative.team>

go.mod

@@ -20,11 +20,11 @@ require (
 	k8s.io/cli-runtime v0.25.2
 	k8s.io/client-go v0.25.4
 	k8s.io/code-generator v0.25.4
-	knative.dev/eventing v0.35.1-0.20230120082502-7e899fd166de
+	knative.dev/eventing v0.36.0
 	knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9
 	knative.dev/networking v0.0.0-20230123233838-db2bcbea2560
 	knative.dev/pkg v0.0.0-20230117181655-247510c00e9d
-	knative.dev/serving v0.35.1-0.20230123204038-897b61aaa91a
+	knative.dev/serving v0.36.0
 	sigs.k8s.io/yaml v1.3.0
 )
 

go.sum

@@ -1086,16 +1086,16 @@ k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 h1:MQ8BAZPZlWk3S9K4a9NCkI
 k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1/go.mod h1:C/N6wCaBHeBHkHUesQOQy2/MZqGgMAFPqGsGQLdbZBU=
 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8=
 k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.35.1-0.20230120082502-7e899fd166de h1:mTwmkYvaPsDCxzQaSjT9BKcf4BQ1zcFSkTIFVGHww3Y=
-knative.dev/eventing v0.35.1-0.20230120082502-7e899fd166de/go.mod h1:PqYrXKXhZU7rQaS5TQuZDSOd9jPX7AegF8uNNUY4kcU=
+knative.dev/eventing v0.36.0 h1:a7kamc2S+LcpNMDX3llnwZm+DqMcYSXgKIgJXdaQQSY=
+knative.dev/eventing v0.36.0/go.mod h1:Qka5Z6+LeMoHGL1QAznVdmq5LAu21b4F3rgxc2AMgRg=
 knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9 h1:CDa7s9KspEZqPhk7cN68ZypRLuAvSgr+knoOaXSsrHk=
 knative.dev/hack v0.0.0-20230113013652-c7cfcb062de9/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
 knative.dev/networking v0.0.0-20230123233838-db2bcbea2560 h1:iprdS5tKTXtgV9dGryuwJJJTTdl5LusCHOelKdezR3I=
 knative.dev/networking v0.0.0-20230123233838-db2bcbea2560/go.mod h1:rn1yRurhkxmSFkpqs/YdG7b9DiYj0VlmLFzBdOQjpOo=
 knative.dev/pkg v0.0.0-20230117181655-247510c00e9d h1:pjKDcvHoMib8nRp56eISRmMj/pFMzJljnzvMvGCIReI=
 knative.dev/pkg v0.0.0-20230117181655-247510c00e9d/go.mod h1:VO/fcEsq43seuONRQxZyftWHjpMabYzRHDtpSEQ/eoQ=
-knative.dev/serving v0.35.1-0.20230123204038-897b61aaa91a h1:EFgNwvcbmiswVuE+TNYl+UiiVM4Q+5FHvsKfpiJNWkI=
-knative.dev/serving v0.35.1-0.20230123204038-897b61aaa91a/go.mod h1:WdVK1b42aahKc8WewW5YLPjp46QK4+D8R9lq3PNuRYg=
+knative.dev/serving v0.36.0 h1:RSYDjxhzOx5rnlW9tNPcBPyJyNuOcZuYEMdKDR1r04k=
+knative.dev/serving v0.36.0/go.mod h1:ueqMvTqzZE0GFfPqSsc+ZjX20Z8XxCuX86+S+TI7B3A=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

vendor/knative.dev/eventing/pkg/apis/sources/v1/apiserver_types.go

@@ -80,6 +80,11 @@ type ApiServerSourceSpec struct {
 	// source. Defaults to default if not set.
 	// +optional
 	ServiceAccountName string `json:"serviceAccountName,omitempty"`
+
+	// NamespaceSelector is a label selector to capture the namespaces that
+	// should be watched by the source.
+	// +optional
+	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
 }
 
 // ApiServerSourceStatus defines the observed state of ApiServerSource
@@ -92,6 +97,9 @@ type ApiServerSourceStatus struct {
 	// * SinkURI - the current active sink URI that has been configured for the
 	//   Source.
 	duckv1.SourceStatus `json:",inline"`
+
+	// Namespaces show the namespaces currently watched by the ApiServerSource
+	Namespaces []string `json:"namespaces"`
 }
 
 // APIVersionKind is an APIVersion and Kind tuple.

vendor/knative.dev/eventing/pkg/apis/sources/v1/zz_generated.deepcopy.go

@@ -140,6 +140,11 @@ func (in *ApiServerSourceSpec) DeepCopyInto(out *ApiServerSourceSpec) {
 		*out = new(APIVersionKind)
 		**out = **in
 	}
+	if in.NamespaceSelector != nil {
+		in, out := &in.NamespaceSelector, &out.NamespaceSelector
+		*out = new(metav1.LabelSelector)
+		(*in).DeepCopyInto(*out)
+	}
 	return
 }
 
@@ -157,6 +162,11 @@ func (in *ApiServerSourceSpec) DeepCopy() *ApiServerSourceSpec {
 func (in *ApiServerSourceStatus) DeepCopyInto(out *ApiServerSourceStatus) {
 	*out = *in
 	in.SourceStatus.DeepCopyInto(&out.SourceStatus)
+	if in.Namespaces != nil {
+		in, out := &in.Namespaces, &out.Namespaces
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 

vendor/knative.dev/serving/pkg/apis/config/features.go

@@ -70,6 +70,7 @@ func defaultFeaturesConfig() *Features {
 		PodSpecInitContainers:            Disabled,
 		PodSpecDNSPolicy:                 Disabled,
 		PodSpecDNSConfig:                 Disabled,
+		SecurePodDefaults:                Disabled,
 		TagHeaderBasedRouting:            Disabled,
 		AutoDetectHTTP2:                  Disabled,
 	}
@@ -99,6 +100,7 @@ func NewFeaturesConfigFromMap(data map[string]string) (*Features, error) {
 		asFlag("kubernetes.podspec-persistent-volume-write", &nc.PodSpecPersistentVolumeWrite),
 		asFlag("kubernetes.podspec-dnspolicy", &nc.PodSpecDNSPolicy),
 		asFlag("kubernetes.podspec-dnsconfig", &nc.PodSpecDNSConfig),
+		asFlag("secure-pod-defaults", &nc.SecurePodDefaults),
 		asFlag("tag-header-based-routing", &nc.TagHeaderBasedRouting),
 		asFlag("queueproxy.mount-podinfo", &nc.QueueProxyMountPodInfo),
 		asFlag("autodetect-http2", &nc.AutoDetectHTTP2)); err != nil {
@@ -134,6 +136,7 @@ type Features struct {
 	QueueProxyMountPodInfo           Flag
 	PodSpecDNSPolicy                 Flag
 	PodSpecDNSConfig                 Flag
+	SecurePodDefaults                Flag
 	TagHeaderBasedRouting            Flag
 	AutoDetectHTTP2                  Flag
 }

vendor/knative.dev/serving/pkg/apis/serving/fieldmask.go

@@ -208,6 +208,9 @@ func PodSpecMask(ctx context.Context, in *corev1.PodSpec) *corev1.PodSpec {
 	}
 	if cfg.Features.PodSpecSecurityContext != config.Disabled {
 		out.SecurityContext = in.SecurityContext
+	} else if cfg.Features.SecurePodDefaults != config.Disabled {
+		// This is further validated in ValidatePodSecurityContext.
+		out.SecurityContext = in.SecurityContext
 	}
 	if cfg.Features.PodSpecPriorityClassName != config.Disabled {
 		out.PriorityClassName = in.PriorityClassName
@@ -591,6 +594,19 @@ func PodSecurityContextMask(ctx context.Context, in *corev1.PodSecurityContext)
 
 	out := new(corev1.PodSecurityContext)
 
+	if config.FromContextOrDefaults(ctx).Features.SecurePodDefaults == config.Enabled {
+		// Allow to opt out of more-secure defaults if SecurePodDefaults is enabled.
+		// This aligns with defaultSecurityContext in revision_defaults.go.
+		if in.SeccompProfile != nil {
+			seccomp := in.SeccompProfile.Type
+			if seccomp == corev1.SeccompProfileTypeRuntimeDefault || seccomp == corev1.SeccompProfileTypeUnconfined {
+				out.SeccompProfile = &corev1.SeccompProfile{
+					Type: seccomp,
+				}
+			}
+		}
+	}
+
 	if config.FromContextOrDefaults(ctx).Features.PodSpecSecurityContext == config.Disabled {
 		return out
 	}

vendor/knative.dev/serving/pkg/apis/serving/v1/revision_defaults.go

@@ -72,6 +72,10 @@ func (rs *RevisionSpec) SetDefaults(ctx context.Context) {
 	applyDefaultContainerNames(rs.PodSpec.InitContainers, containerNames, defaultInitContainerName)
 	for idx := range rs.PodSpec.Containers {
 		rs.applyDefault(ctx, &rs.PodSpec.Containers[idx], cfg)
+		rs.defaultSecurityContext(rs.PodSpec.SecurityContext, &rs.PodSpec.Containers[idx], cfg)
+	}
+	for idx := range rs.PodSpec.InitContainers {
+		rs.defaultSecurityContext(rs.PodSpec.SecurityContext, &rs.PodSpec.InitContainers[idx], cfg)
 	}
 }
 
@@ -158,6 +162,57 @@ func (*RevisionSpec) applyProbes(container *corev1.Container) {
 	}
 }
 
+// Upgrade SecurityContext for this container and the Pod definition to use settings
+// for the `restricted` profile when the feature flag is enabled.
+// This does not currently set `runAsNonRoot` for the restricted profile, because
+// that feels harder to default safely.
+func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, container *corev1.Container, cfg *config.Config) {
+	if cfg.Features.SecurePodDefaults != config.Enabled {
+		return
+	}
+
+	if psc == nil {
+		psc = &corev1.PodSecurityContext{}
+	}
+
+	updatedSC := container.SecurityContext
+
+	if updatedSC == nil {
+		updatedSC = &corev1.SecurityContext{}
+	}
+
+	if updatedSC.AllowPrivilegeEscalation == nil {
+		updatedSC.AllowPrivilegeEscalation = ptr.Bool(false)
+	}
+	if psc.SeccompProfile == nil || psc.SeccompProfile.Type == "" {
+		if updatedSC.SeccompProfile == nil {
+			updatedSC.SeccompProfile = &corev1.SeccompProfile{}
+		}
+		if updatedSC.SeccompProfile.Type == "" {
+			updatedSC.SeccompProfile.Type = corev1.SeccompProfileTypeRuntimeDefault
+		}
+	}
+	if updatedSC.Capabilities == nil {
+		updatedSC.Capabilities = &corev1.Capabilities{}
+		updatedSC.Capabilities.Drop = []corev1.Capability{"ALL"}
+		// Default in NET_BIND_SERVICE to allow binding to low-numbered ports.
+		needsLowPort := false
+		for _, p := range container.Ports {
+			if p.ContainerPort < 1024 {
+				needsLowPort = true
+				break
+			}
+		}
+		if updatedSC.Capabilities.Add == nil && needsLowPort {
+			updatedSC.Capabilities.Add = []corev1.Capability{"NET_BIND_SERVICE"}
+		}
+	}
+
+	if *updatedSC != (corev1.SecurityContext{}) {
+		container.SecurityContext = updatedSC
+	}
+}
+
 func applyDefaultContainerNames(containers []corev1.Container, containerNames sets.String, defaultContainerName string) {
 	// Default container name based on ContainerNameFromTemplate value from configmap.
 	// In multi-container or init-container mode, add a numeric suffix, avoiding clashes with user-supplied names.

vendor/knative.dev/serving/test/e2e-tests.sh

@@ -126,6 +126,11 @@ toggle_feature kubernetes.podspec-securitycontext Disabled
 toggle_feature kubernetes.podspec-persistent-volume-write Disabled
 toggle_feature kubernetes.podspec-persistent-volume-claim Disabled
 
+# RUN secure pod defaults test in a separate install.
+toggle_feature secure-pod-defaults Enabled
+go_test_e2e -timeout=3m ./test/e2e/securedefaults ${TEST_OPTIONS} || failed=1
+toggle_feature secure-pod-defaults Disabled
+
 # Run HA tests separately as they're stopping core Knative Serving pods.
 # Define short -spoofinterval to ensure frequent probing while stopping pods.
 toggle_feature autocreateClusterDomainClaims true config-network || fail_test

vendor/modules.txt

@@ -917,7 +917,7 @@ k8s.io/utils/net
 k8s.io/utils/pointer
 k8s.io/utils/strings/slices
 k8s.io/utils/trace
-# knative.dev/eventing v0.35.1-0.20230120082502-7e899fd166de
+# knative.dev/eventing v0.36.0
 ## explicit; go 1.18
 knative.dev/eventing/pkg/apis/config
 knative.dev/eventing/pkg/apis/duck
@@ -1013,7 +1013,7 @@ knative.dev/pkg/tracing/config
 knative.dev/pkg/tracing/propagation
 knative.dev/pkg/tracing/propagation/tracecontextb3
 knative.dev/pkg/tracker
-# knative.dev/serving v0.35.1-0.20230123204038-897b61aaa91a
+# knative.dev/serving v0.36.0
 ## explicit; go 1.18
 knative.dev/serving/pkg/apis/autoscaling
 knative.dev/serving/pkg/apis/autoscaling/v1alpha1