joejulian

DUMP-START-TIME: 2021-05-05 20:56:00.238304 +0000

[mallinfo]
mallinfo_arena=289714176
mallinfo_ordblks=192753
mallinfo_smblks=114301
mallinfo_hblks=3
mallinfo_hblkhd=1429504
mallinfo_usmblks=0
mallinfo_fsmblks=11270480

joejulian

1. stop the cron-job that was restarting traefik
2. deploy traefik container patched by Jarred, decrease the amount of replicas to 1, enable debug mode and debug logging (add --loglevel=debug and -d to the argv list)
3. on each apiserver, done 1 by 1:
   a. vi /etc/kubernetes/audit-policy/apiserver-audit-policy.yaml , add:
     <right at the begining of rules section>

  - level: RequestResponse
    users: ["system:serviceaccount:kubeaddons:traefik-kubeaddons"]

   b. restart apiserver

joejulian

==> Making package: dsview 1.12-2 (Wed 28 Apr 2021 05:18:20 PM PDT)
==> Checking runtime dependencies...
==> Checking buildtime dependencies...
==> Retrieving sources...
  -> Found DSView-1.12.tar.gz
  -> Found qt5.15.patch
  -> Found udev.rules
  -> Found dsview.desktop
==> Validating source files with sha384sums...
    DSView-1.12.tar.gz ... Passed

joejulian

CVE-2019-7609              kibana-1.0.0                        Critical        None          CVE-2019-7609         https://nvd.nist.gov/vuln/detail/CVE-2019-7609               npm         nvdv2:cves        /usr/share/kibana/node_modules/@kbn/pm/src/utils/__fixtures__/kibana/package.json                           
CVE-2019-7610              kibana-1.0.0                        Critical        None          CVE-2019-7610         https://nvd.nist.gov/vuln/detail/CVE-2019-7610               npm         nvdv2:cves        /usr/share/kibana/node_modules/@kbn/pm/src/utils/__fixtures__/kibana/package.json                           
CVE-2020-3681              -                                   Critical        None          CVE-2020-3681         https://nvd.nist.gov/vuln/detail/CVE-2020-3681               npm         nvdv2:cves        /usr/share/kibana/node_modules/@babel/runtime-corejs2/helpers/esm/package.json                              
CVE-2020-3681              -                                   Critical        

joejulian

#!/bin/bash
set -euo pipefail

EXPIRATION="${1:-8h}"
TEMPFILE=$(mktemp)

yq -Y '. | (
    select(.kind == "ClusterProvisioner") | 
        .spec.aws.tags.expiration = "'"${EXPIRATION}"'"),(
    select(.kind != "ClusterProvisioner") |

joejulian

#!/bin/bash
set -euo pipefail

EXPIRATION="${1:-8h}"
TEMPFILE=$(mktemp)

yq -Y '. | (
    select(.kind == "ClusterProvisioner") | 
        .spec.aws.tags.expiration = "'"${EXPIRATION}"'"),(
    select(.kind != "ClusterProvisioner") |

joejulian

#!/bin/bash
set -euo pipefail

EXPIRATION="${1:-8h}"
TEMPFILE=$(mktemp)

yq -Y '. | (
    select(.kind == "ClusterProvisioner") | 
        .spec.aws.tags.expiration = "'"${EXPIRATION}"'"),(
    select(.kind != "ClusterProvisioner") |

joejulian

defaultstorageclass-protection

• update client-go to 0.19.2 to support k8s 1.16-1.21

• use the distroless image and run as nonroot user to address image CVEs #880 (@mesosphere-mergebot)

• Fix CVE-2019-14697. #878 (@faiq)

• defaultstorageclass: use unique Service selectors to avoid selecting unwanted endpoints from other charts. #832 (@dkoshkin)

joejulian

Namespace	Name	Version	App Version	Kind
	ambassador	1.8.0-1	1.8.0	ClusterAddon
	awsebscsiprovisioner	0.8.0-1	0.8.0	ClusterAddon
	awsebsprovisioner	1.0.0-1	1.0	ClusterAddon
	azuredisk-csi-driver	0.7.2-3	0.7.2	ClusterAddon
	azurediskprovisioner	1.0.0-2	1.0	ClusterAddon
	cert-manager	1.0.3-7	1.0.3	ClusterAddon
	dashboard	2.7.1-2	2.7.1	ClusterAddon
	defaultstorageclass-protection	0.0.4-2	0.0.4	ClusterAddon

joejulian

apiVersion: v1
kind: Node
metadata:
  annotations:
    node.alpha.kubernetes.io/ttl: "0"
    projectcalico.org/IPv4Address: 192.168.2.97/24
    volumes.kubernetes.io/controller-managed-attach-detach: "true"
  creationTimestamp: "2020-09-25T05:12:58Z"
  labels:
    beta.kubernetes.io/arch: arm64