bump: k8s.io 0.23->1.23 go 1.18->1.23 to fix vul cve-2023-44487

Signed-off-by: Jeongwoo Kim - jekim <jekim@lycorp.co.jp>

Author: mlajkim

.gitignore

@@ -4,3 +4,4 @@ bin
 *.tgz
 tags.json
 .idea
+.vscode/settings.json

cmd/kube-mgmt/main.go

@@ -9,7 +9,6 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
-	"io/ioutil"
 	"net/http"
 	"os"
 	"path"
@@ -141,7 +140,7 @@ func run(params *params) {
 	}
 
 	if params.opaAuthFile != "" {
-		file, err := ioutil.ReadFile(params.opaAuthFile)
+		file, err := os.ReadFile(params.opaAuthFile)
 		if err != nil {
 			logrus.Fatalf("Failed to read opa auth token file %s", params.opaAuthFile)
 		}
@@ -162,7 +161,7 @@ func run(params *params) {
 		if rootCAs == nil {
 			rootCAs = x509.NewCertPool()
 		}
-		certs, err := ioutil.ReadFile(params.opaCAFile)
+		certs, err := os.ReadFile(params.opaCAFile)
 		if err != nil {
 			logrus.Fatalf("Failed to read opa certificate authority file %s", params.opaCAFile)
 		}

go.mod

@@ -1,48 +1,58 @@
 module github.com/open-policy-agent/kube-mgmt
 
-go 1.18
+go 1.23
 
 require (
 	github.com/sirupsen/logrus v1.8.3
 	github.com/spf13/cobra v1.3.0
-	k8s.io/api v0.23.17
-	k8s.io/apimachinery v0.23.17
-	k8s.io/client-go v0.23.17
+	k8s.io/api v0.31.3
+	k8s.io/apimachinery v0.31.3
+	k8s.io/client-go v0.31.3
 )
 
-require gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
+require (
+	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.4 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+)
 
 require (
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
-	github.com/go-logr/logr v1.2.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect; indire4ct
-	github.com/google/go-cmp v0.5.6 // indirect
-	github.com/google/gofuzz v1.1.0 // indirect
-	github.com/googleapis/gnostic v0.5.5 // indirect
-	github.com/imdario/mergo v0.3.5 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect; indire4ct
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/imdario/mergo v0.3.6 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	golang.org/x/net v0.23.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/oauth2 v0.21.0 // indirect
 	golang.org/x/sys v0.26.0 // indirect
 	golang.org/x/term v0.25.0 // indirect
 	golang.org/x/text v0.19.0 // indirect
-	golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/klog/v2 v2.30.0 // indirect
-	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
-	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
-	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
-	sigs.k8s.io/yaml v1.2.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
+	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 )

go.sum

@@ -140,20 +140,21 @@ func (s *Sync) Run(namespaces []string) (chan struct{}, error) {
 		if namespace == "*" {
 			namespace = v1.NamespaceAll
 		}
-		source := cache.NewListWatchFromClient(
+		listerWatcher := cache.NewListWatchFromClient(
 			client,
 			"configmaps",
 			namespace,
 			fields.Everything())
-		_, controller := cache.NewInformer(
-			source,
-			&v1.ConfigMap{},
-			0,
-			cache.ResourceEventHandlerFuncs{
+		_, controller := cache.NewInformerWithOptions(cache.InformerOptions{
+			ListerWatcher: listerWatcher,
+			ObjectType:    &v1.ConfigMap{},
+			Handler: cache.ResourceEventHandlerFuncs{
 				AddFunc:    s.add,
 				UpdateFunc: s.update,
 				DeleteFunc: s.delete,
-			})
+			},
+			ResyncPeriod: 0, // Set to 0 as in the original code
+		})
 		go controller.Run(quit)
 	}
 	return quit, nil

pkg/configmap/configmap.go

@@ -41,7 +41,7 @@ type GenericSync struct {
 	client           dynamicClient
 	opa              opa_client.Data
 	ns               types.ResourceType
-	limiter          workqueue.RateLimiter
+	limiter          workqueue.TypedRateLimiter[any]
 	jitterFactor     float64
 	ignoreNamespaces []string
 }
@@ -70,7 +70,7 @@ func NewFromInterface(client dynamic.Interface, opa opa_client.Data, ns types.Re
 		opt(s)
 	}
 	if s.limiter == nil { // Use default rateLimiter if not configured
-		s.limiter = workqueue.NewItemExponentialFailureRateLimiter(backoffMin, backoffMax)
+		s.limiter = workqueue.NewTypedItemExponentialFailureRateLimiter[any](backoffMin, backoffMax)
 	}
 	return s
 }
@@ -85,7 +85,7 @@ func WithIgnoreNamespaces(ignoreNamespaces []string) Option {
 // WithBackoff tunes the values of exponential backoff and jitter factor
 func WithBackoff(min, max time.Duration, jitterFactor float64) Option {
 	return func(s *GenericSync) {
-		s.limiter = workqueue.NewItemExponentialFailureRateLimiter(min, max)
+		s.limiter = workqueue.NewTypedItemExponentialFailureRateLimiter[any](min, max)
 		s.jitterFactor = jitterFactor
 	}
 }
@@ -128,13 +128,13 @@ func (s *GenericSync) RunContext(ctx context.Context) error {
 }
 
 // setup the store and queue for this GenericSync instance
-func (s *GenericSync) setup(ctx context.Context) (cache.Store, workqueue.DelayingInterface) {
+func (s *GenericSync) setup(ctx context.Context) (cache.Store, workqueue.TypedDelayingInterface[any]) {
 	ignoreNs := s.ignoreNs()
 
 	resource := s.client.ResourceFor(s.ns, metav1.NamespaceAll)
 	queue := workqueue.NewNamedDelayingQueue(s.ns.String())
-	store, controller := cache.NewInformer(
-		&cache.ListWatch{
+	store, controller := cache.NewInformerWithOptions(cache.InformerOptions{
+		ListerWatcher: &cache.ListWatch{
 			ListFunc: func(options metav1.ListOptions) (runtime.Object, error) {
 				options.FieldSelector = ignoreNs
 				return resource.List(ctx, options)
@@ -144,10 +144,10 @@ func (s *GenericSync) setup(ctx context.Context) (cache.Store, workqueue.Delayin
 				return resource.Watch(ctx, options)
 			},
 		},
-		&unstructured.Unstructured{},
-		0,
-		resourceEventQueue{queue},
-	)
+		ObjectType:   &unstructured.Unstructured{},
+		Handler:      resourceEventQueue{queue},
+		ResyncPeriod: 0,
+	})
 
 	start, quit := time.Now(), ctx.Done()
 	go controller.Run(quit)
@@ -181,7 +181,7 @@ type resourceEventQueue struct {
 }
 
 // OnAdd implements ResourceHandler
-func (q resourceEventQueue) OnAdd(obj interface{}) {
+func (q resourceEventQueue) OnAdd(obj interface{}, isInInitialList bool) {
 	key, err := cache.MetaNamespaceKeyFunc(obj)
 	if err != nil {
 		logrus.Warnf("failed to retrieve key: %v", err)
@@ -210,7 +210,7 @@ func (q resourceEventQueue) resourceVersionMatch(oldObj, newObj interface{}) boo
 // OnUpdate implements ResourceHandler
 func (q resourceEventQueue) OnUpdate(oldObj, newObj interface{}) {
 	if !q.resourceVersionMatch(oldObj, newObj) { // Avoid sync flood on relist. We don't use resync.
-		q.OnAdd(newObj)
+		q.OnAdd(newObj, false)
 	}
 }
 
@@ -229,7 +229,7 @@ const initPath = ""
 // loop starts replicating Kubernetes resources into OPA. If an error occurs
 // during the replication process, this function will backoff and reload
 // all resources into OPA from scratch.
-func (s *GenericSync) loop(store cache.Store, queue workqueue.DelayingInterface) {
+func (s *GenericSync) loop(store cache.Store, queue workqueue.TypedDelayingInterface[any]) {
 
 	logrus.Infof("Syncing %v.", s.ns)
 	defer func() {