Simple XSS scans might fetch /<script>alert('vulnerable')</script>, and
fail when the response body includes the script tag verbatim, despite
the headers directing the browser to interpret the response as text.
This isn't a real vulnerability, but it's easier to fix this here than
it is to fix the scanners.
Kubernetes-commit: dd4bb1213d8447632fa651195980cbfae2546fb3
Add support for following redirects to the SpdyRoundTripper. This is
necessary for clients using it directly (e.g. the apiserver talking
directly to the kubelet) because the CRI streaming server issues a
redirect for streaming requests.
Also extract common logic for following redirects.
Kubernetes-commit: 715d5d9c91c669cf33c0bf9a9c9d352c6c4228a6
This commit adds tests for pkg/util/webhooks. The purpose of this was
not only for better code coverage but also to alleviate the need for
consumers to write their own tests for core functionality.
Kubernetes-commit: d15dba7e8bff943d91ba6f58fcb0dfefa357a7f1
The wrong json package was used, resulting in patches being unmarshaled
with numbers as float64 rather than int64.
This in turn confused HasConflicts() which expects numeric types to match.
The end result was false positives of meaningful conflicts, such as:
```
there is a meaningful conflict (firstResourceVersion: "8517",
currentResourceVersion: "8519"):
diff1={"metadata":{"resourceVersion":"8519"},"spec":{"replicas":0},"status":{"conditions":null,"fullyLabeledReplicas":null,"replicas":0}}
, diff2={"spec":{"replicas":0}}
```
Kubernetes-commit: 1ab6a33db486adc060e1b63eecbdc06aabdde1f6
All Stores in Kubernetes follow the same logic for determining the name
of an object. This change makes it so that CompleteWithOptions defaults
the ObjectNameFunc if it is not specified. Thus a user does not need to
remember to use ObjectMeta.Name. Using the wrong field as the name can
lead to an object which has a name that bypasses normal object name
validation.
Signed-off-by: Monis Khan <mkhan@redhat.com>
Kubernetes-commit: ed35deb69d6fe480adc9178c30b4b9c9e03ca1a9
etcd has support for client-cert-auth, which can be configured via the flag `--ca-file`,
when that is enabled, all the client requests must present with a client certificate,
however, the current component status check uses a single transport for all of the checks,
this is wrong, the checks should be different for each of different component, and make
each of them use different transport(tls configurations).
Kubernetes-commit: b1040171b68217dccb617de85defa4a5063c638b
In the long term AdmissionOptions will accepts various dependencies
and spit out AdmissionControl
Kubernetes-commit: de9706bc15ffc3a6a4ef30a00d5c7ea9a8881396
Previously runServer would try to listen again if a listener error
occurred. This commit changes the response to a panic to allow a
process manager (systemd/kubelet/etc) to react to the failure.
Kubernetes-commit: 30fb3be4d29179cf551e3030ade37d94d9acc8c9
enisoc pointed out how ToLower can change (lengthen even!) the length of
a string given arbitrary input.
Kubernetes-commit: fe202fcfc47c7e0fa7d75dc933c9988bb5a53e5e
The exported or public functions requires a doc comment to pass golint.
This commit has changes of conversion generated code. The actual doc
changes are added into a separate commit for a clean review.
Kubernetes-commit: 08639023d027e0b69e3b3e5535b04148e084b1bd