From 9334ff21c233dfd154d90d4655ceb20be25e30d3 Mon Sep 17 00:00:00 2001 From: Thomas Ferrandiz Date: Fri, 11 Oct 2024 15:32:16 +0000 Subject: [PATCH 1/2] check that the lease includes an IP address of the requested family before configuring the flannel interface --- pkg/backend/vxlan/vxlan.go | 6 ++++++ pkg/backend/wireguard/wireguard.go | 8 ++++++++ 2 files changed, 14 insertions(+) diff --git a/pkg/backend/vxlan/vxlan.go b/pkg/backend/vxlan/vxlan.go index edce214259..47a0c1fbdf 100644 --- a/pkg/backend/vxlan/vxlan.go +++ b/pkg/backend/vxlan/vxlan.go @@ -220,11 +220,17 @@ func (be *VXLANBackend) RegisterNetwork(ctx context.Context, wg *sync.WaitGroup, // This IP is just used as a source address for host to workload traffic (so // the return path for the traffic has an address on the flannel network to use as the destination) if config.EnableIPv4 { + if lease.Subnet.Empty() { + return nil, fmt.Errorf("failed to configure interface %s: IPv4 is enabled but the lease has no IPv4", dev.link.Attrs().Name) + } if err := dev.Configure(ip.IP4Net{IP: lease.Subnet.IP, PrefixLen: 32}, config.Network); err != nil { return nil, fmt.Errorf("failed to configure interface %s: %w", dev.link.Attrs().Name, err) } } if config.EnableIPv6 { + if lease.IPv6Subnet.Empty() { + return nil, fmt.Errorf("failed to configure interface %s: IPv6 is enabled but the lease has no IPv6", v6Dev.link.Attrs().Name) + } if err := v6Dev.ConfigureIPv6(ip.IP6Net{IP: lease.IPv6Subnet.IP, PrefixLen: 128}, config.IPv6Network); err != nil { return nil, fmt.Errorf("failed to configure interface %s: %w", v6Dev.link.Attrs().Name, err) } diff --git a/pkg/backend/wireguard/wireguard.go b/pkg/backend/wireguard/wireguard.go index 36b8b02adf..bc7b0e89de 100644 --- a/pkg/backend/wireguard/wireguard.go +++ b/pkg/backend/wireguard/wireguard.go @@ -171,6 +171,10 @@ func (be *WireguardBackend) RegisterNetwork(ctx context.Context, wg *sync.WaitGr } if config.EnableIPv4 { + if lease.Subnet.Empty() { + return nil, fmt.Errorf("failed to configure wg interface: IPv4 is enabled but the lease has no IPv4") + } + err = dev.Configure(lease.Subnet.IP, config.Network) if err != nil { return nil, err @@ -178,6 +182,10 @@ func (be *WireguardBackend) RegisterNetwork(ctx context.Context, wg *sync.WaitGr } if config.EnableIPv6 { + if lease.IPv6Subnet.Empty() { + return nil, fmt.Errorf("failed to configure wg interface: IPv6 is enabled but the lease has no IPv6") + } + if cfg.Mode == Separate { err = v6Dev.ConfigureV6(lease.IPv6Subnet.IP, config.IPv6Network) } else { From 23ce6c067c4b6f4f3245599cbf17832f7b324f4d Mon Sep 17 00:00:00 2001 From: Thomas Ferrandiz Date: Wed, 16 Oct 2024 13:35:55 +0000 Subject: [PATCH 2/2] fix trivy check --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 3bcce161dc..0e1da0ed9b 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -42,9 +42,9 @@ jobs: ARCH=amd64 TAG=${{ github.sha }} make image - name: Run Trivy vulnerability scanner in tarball mode - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.28.0 with: - input: /github/workspace/dist/flanneld-${{ github.sha }}-amd64.docker + input: ./dist/flanneld-${{ github.sha }}-amd64.docker severity: 'CRITICAL,HIGH' format: 'sarif' output: 'trivy-results.sarif'