Compare commits
5 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Chris Farhood
|
96b7ff0e24 | ||
|
Chris Farhood
|
f4acf34ccc | ||
|
Chris Farhood
|
4813f3c314 | ||
|
Chris Farhood
|
c83a8c775b | ||
|
Chris Farhood
|
1f2287489c |
@@ -14,7 +14,6 @@ on:
|
||||
|
||||
jobs:
|
||||
dual-approval:
|
||||
if: github.event.pull_request != null
|
||||
uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
|
||||
secrets: inherit
|
||||
with:
|
||||
|
||||
@@ -1,21 +0,0 @@
|
||||
name: Mend Renovate GitHub App Token
|
||||
|
||||
on:
|
||||
workflow_call:
|
||||
outputs:
|
||||
token:
|
||||
description: "Short-lived GitHub App installation token"
|
||||
value: ${{ jobs.app-token.outputs.token }}
|
||||
|
||||
jobs:
|
||||
app-token:
|
||||
runs-on: runners-privilegedescalation
|
||||
outputs:
|
||||
token: ${{ steps.app-token.outputs.token }}
|
||||
steps:
|
||||
- name: Generate GitHub App token
|
||||
id: app-token
|
||||
uses: actions/create-github-app-token@v3
|
||||
with:
|
||||
app-id: ${{ secrets.RELEASE_APP_ID }}
|
||||
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
|
||||
@@ -5,9 +5,3 @@ dist/
|
||||
.env
|
||||
.env.local
|
||||
.eslintcache
|
||||
|
||||
# E2E
|
||||
e2e/.auth/
|
||||
.env.e2e
|
||||
playwright-report/
|
||||
test-results/
|
||||
|
||||
@@ -1,53 +0,0 @@
|
||||
{
|
||||
"config": {
|
||||
// Line length — not enforced for docs with code examples
|
||||
"MD013": false,
|
||||
// First line heading — files use YAML frontmatter, not headings
|
||||
"MD041": false,
|
||||
// Emphasis as heading — common pattern for Option 1/2/3 sections
|
||||
"MD036": false,
|
||||
// No duplicate heading — changelog files repeat section names intentionally
|
||||
"MD024": false,
|
||||
// Fenced code language — not always applicable for diagram blocks
|
||||
"MD040": false,
|
||||
// Table column style — table alignment is visual, not semantic
|
||||
"MD060": false,
|
||||
// Ordered list item prefix — number resets are intentional in documents
|
||||
"MD029": false,
|
||||
// No inline HTML — each elements are valid in valid Markdown
|
||||
"MD033": false,
|
||||
// List marker space — spacing after list markers varies by editor
|
||||
"MD030": false,
|
||||
// Blanks around headings — not always needed in compact docs
|
||||
"MD022": false,
|
||||
// Blanks around lists — not always needed in compact docs
|
||||
"MD032": false,
|
||||
// Blanks around fences — not always needed between adjacent blocks
|
||||
"MD031": false,
|
||||
// Multiple blanks — editor artifacts, not semantic
|
||||
"MD012": false,
|
||||
// Single title — files may have multiple H1 sections
|
||||
"MD025": false,
|
||||
// Trailing spaces — editor artifacts
|
||||
"MD009": false,
|
||||
// Bare URLs — URL shortening not always needed
|
||||
"MD034": false,
|
||||
// Single trailing newline — editor artifacts
|
||||
"MD047": false,
|
||||
// Trailing punctuation — heading punctuation is intentional
|
||||
"MD026": false,
|
||||
// Space in emphasis — double-asterisk bold spacing varies by renderer
|
||||
"MD037": false,
|
||||
// No hard tabs — some generated docs use tabs for indentation
|
||||
"MD010": false,
|
||||
// Code block style — generated docs may use inconsistent styles
|
||||
"MD046": false,
|
||||
// Comment style — generated docs have no comments
|
||||
"MD048": false,
|
||||
// Commands show output — shell examples intentionally show only commands
|
||||
"MD014": false
|
||||
},
|
||||
"ignores": [
|
||||
"docs/api-reference/generated/**"
|
||||
]
|
||||
}
|
||||
@@ -1 +0,0 @@
|
||||
docs/api-reference/generated/**
|
||||
@@ -66,7 +66,7 @@ npm run lint # ESLint
|
||||
|
||||
| Symptom | Cause | Fix |
|
||||
|---------|-------|-----|
|
||||
| "kube-vip Not Detected" | No kube-vip pods in kube-system | Install kube-vip per https://kube-vip.io/docs/installation/ |
|
||||
| "kube-vip Not Detected" | No kube-vip pods in kube-system namespace | Install kube-vip per https://kube-vip.io/docs/installation/ |
|
||||
| No IP pools shown | kubevip ConfigMap not found | Install kube-vip-cloud-provider |
|
||||
| Services show "Pending" VIP | No IP pool configured or pool exhausted | Add IP ranges to kubevip ConfigMap |
|
||||
| Leader shows "—" | No kube-vip leases found | Verify leader election is enabled (`vip_leaderelection=true`) |
|
||||
|
||||
-25
@@ -22,28 +22,3 @@ All data is fetched through Headlamp's built-in API proxy, which respects the us
|
||||
## Reporting a Vulnerability
|
||||
|
||||
Please report security vulnerabilities by opening a private issue or emailing the maintainers directly.
|
||||
|
||||
## Known Low-Severity Vulnerabilities
|
||||
|
||||
### GHSA-848j-6mx2-7j84 (elliptic)
|
||||
|
||||
**Severity:** High (but not exploitable in this plugin's context)
|
||||
|
||||
**Affected component:** `elliptic` (transitive, via `vite-plugin-node-polyfills` → `node-stdlib-browser` → `crypto-browserify` → `browserify-sign`)
|
||||
|
||||
**Description:** The elliptic library used in this plugin's development dependencies contains a prototype pollution vulnerability. This plugin is a **read-only** Headlamp plugin that never executes any cryptographic operations at runtime. The vulnerable code path requires:
|
||||
- Use of `elliptic` curve operations on untrusted input, AND
|
||||
- Ability for an attacker to influence the `elliptic` curve key generation input
|
||||
|
||||
Neither condition is met in this plugin's runtime context.
|
||||
|
||||
**Remediation:** No patched version of `elliptic` exists on npm. The current override in `package.json` (`"elliptic": ">=6.6.1"`) is a placeholder — no resolvable version satisfies this constraint.
|
||||
|
||||
**Risk acceptance rationale:**
|
||||
1. Plugin has no write operations against the cluster
|
||||
2. All data flows through Headlamp's API proxy with standard RBAC enforcement
|
||||
3. The vulnerable dependency is only in the development/build toolchain, not runtime
|
||||
4. No untrusted input can reach `elliptic` curve operations through this plugin
|
||||
|
||||
**Review date:** 2026-05-05
|
||||
**Reviewed by:** Hugh Hackman (VP Engineering Operations)
|
||||
|
||||
Generated
+19853
File diff suppressed because it is too large
Load Diff
+1
-2
@@ -33,8 +33,7 @@
|
||||
"tar": "^7.5.11",
|
||||
"undici": "^7.24.3",
|
||||
"lodash": ">=4.18.0",
|
||||
"vite": ">=6.4.2",
|
||||
"elliptic": ">=6.6.1"
|
||||
"vite": ">=6.4.2"
|
||||
},
|
||||
"devDependencies": {
|
||||
"@headlamp-k8s/eslint-config": "^0.6.0",
|
||||
|
||||
Generated
+266
-304
File diff suppressed because it is too large
Load Diff
@@ -21,6 +21,7 @@ import {
|
||||
isEgressEnabled,
|
||||
isKubeVipService,
|
||||
isPodReady,
|
||||
KUBE_VIP_NAMESPACE,
|
||||
phaseToStatus,
|
||||
} from '../api/k8s';
|
||||
import { useKubeVipContext } from '../api/KubeVipDataContext';
|
||||
@@ -105,7 +106,7 @@ export default function OverviewPage() {
|
||||
{
|
||||
name: 'Status',
|
||||
value: (
|
||||
<StatusLabel status="error">No kube-vip pods found in kube-system</StatusLabel>
|
||||
<StatusLabel status="error">No kube-vip pods found in {KUBE_VIP_NAMESPACE}</StatusLabel>
|
||||
),
|
||||
},
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user