Skip to content

Commit ec3d2ef

Browse files
rashmichandrashekarrashmichandrashekar
authored
Fixing telegraf vulnerability (#716)
1 parent 7389a1b commit ec3d2ef

File tree

5 files changed

+70
-67
lines changed

5 files changed

+70
-67
lines changed

kubernetes/linux/setup.sh

+1-1
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ tar -zxvf telegraf-1.20.3_linux_amd64.tar.gz
3535

3636
mv /opt/telegraf-1.20.3/usr/bin/telegraf /opt/telegraf
3737

38-
chmod 777 /opt/telegraf
38+
chmod 544 /opt/telegraf
3939

4040
# Use wildcard version so that it doesnt require to touch this file
4141
/$TMPDIR/docker-cimprov-*.*.*-*.x86_64.sh --install

kubernetes/omsagent.yaml

+61-61
Original file line numberDiff line numberDiff line change
@@ -453,65 +453,65 @@ spec:
453453
periodSeconds: 60
454454
timeoutSeconds: 15
455455
#Only in sidecar scraping mode
456-
# - name: omsagent-prometheus
457-
# image: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:ciprod01312022"
458-
# imagePullPolicy: IfNotPresent
459-
# resources:
460-
# limits:
461-
# cpu: 500m
462-
# memory: 1Gi
463-
# requests:
464-
# cpu: 75m
465-
# memory: 225Mi
466-
# env:
467-
# # azure devops pipeline uses AKS_RESOURCE_ID and AKS_REGION hence ensure to uncomment these
468-
# - name: AKS_CLUSTER_NAME
469-
# value: "VALUE_AKS_CLUSTER_NAME"
470-
# - name: AKS_RESOURCE_ID
471-
# value: "VALUE_AKS_RESOURCE_ID_VALUE"
472-
# - name: AKS_REGION
473-
# value: "VALUE_AKS_RESOURCE_REGION_VALUE"
474-
# - name: AKS_NODE_RESOURCE_GROUP
475-
# value: "VALUE_AKS_NODE_RESOURCE_GROUP"
476-
# #Uncomment below two lines for ACS clusters and set the cluster names manually. Also comment out the above two lines for ACS clusters
477-
# #- name: ACS_RESOURCE_NAME
478-
# # value: "my_acs_cluster_name"
479-
# - name: CONTAINER_TYPE
480-
# value: "PrometheusSidecar"
481-
# - name: CONTROLLER_TYPE
482-
# value: "DaemonSet"
483-
# - name: NODE_IP
484-
# valueFrom:
485-
# fieldRef:
486-
# fieldPath: status.hostIP
487-
# # Update this with the user assigned msi client id for omsagent
488-
# - name: USER_ASSIGNED_IDENTITY_CLIENT_ID
489-
# value: "VALUE_USER_ASSIGNED_IDENTITY_CLIENT_ID_VALUE"
490-
# - name: USING_AAD_MSI_AUTH
491-
# value: "false"
492-
# securityContext:
493-
# privileged: true
494-
# volumeMounts:
495-
# - mountPath: /etc/kubernetes/host
496-
# name: azure-json-path
497-
# - mountPath: /etc/omsagent-secret
498-
# name: omsagent-secret
499-
# readOnly: true
500-
# - mountPath: /etc/config/settings
501-
# name: settings-vol-config
502-
# readOnly: true
503-
# - mountPath: /etc/config/osm-settings
504-
# name: osm-settings-vol-config
505-
# readOnly: true
506-
# livenessProbe:
507-
# exec:
508-
# command:
509-
# - /bin/bash
510-
# - -c
511-
# - /opt/livenessprobe.sh
512-
# initialDelaySeconds: 60
513-
# periodSeconds: 60
514-
# timeoutSeconds: 15
456+
- name: omsagent-prometheus
457+
image: "mcr.microsoft.com/azuremonitor/containerinsights/ciprod:ciprod01312022"
458+
imagePullPolicy: IfNotPresent
459+
resources:
460+
limits:
461+
cpu: 500m
462+
memory: 1Gi
463+
requests:
464+
cpu: 75m
465+
memory: 225Mi
466+
env:
467+
# azure devops pipeline uses AKS_RESOURCE_ID and AKS_REGION hence ensure to uncomment these
468+
- name: AKS_CLUSTER_NAME
469+
value: "VALUE_AKS_CLUSTER_NAME"
470+
- name: AKS_RESOURCE_ID
471+
value: "VALUE_AKS_RESOURCE_ID_VALUE"
472+
- name: AKS_REGION
473+
value: "VALUE_AKS_RESOURCE_REGION_VALUE"
474+
- name: AKS_NODE_RESOURCE_GROUP
475+
value: "VALUE_AKS_NODE_RESOURCE_GROUP"
476+
#Uncomment below two lines for ACS clusters and set the cluster names manually. Also comment out the above two lines for ACS clusters
477+
#- name: ACS_RESOURCE_NAME
478+
# value: "my_acs_cluster_name"
479+
- name: CONTAINER_TYPE
480+
value: "PrometheusSidecar"
481+
- name: CONTROLLER_TYPE
482+
value: "DaemonSet"
483+
- name: NODE_IP
484+
valueFrom:
485+
fieldRef:
486+
fieldPath: status.hostIP
487+
# Update this with the user assigned msi client id for omsagent
488+
- name: USER_ASSIGNED_IDENTITY_CLIENT_ID
489+
value: "VALUE_USER_ASSIGNED_IDENTITY_CLIENT_ID_VALUE"
490+
- name: USING_AAD_MSI_AUTH
491+
value: "false"
492+
securityContext:
493+
privileged: true
494+
volumeMounts:
495+
- mountPath: /etc/kubernetes/host
496+
name: azure-json-path
497+
- mountPath: /etc/omsagent-secret
498+
name: omsagent-secret
499+
readOnly: true
500+
- mountPath: /etc/config/settings
501+
name: settings-vol-config
502+
readOnly: true
503+
- mountPath: /etc/config/osm-settings
504+
name: osm-settings-vol-config
505+
readOnly: true
506+
livenessProbe:
507+
exec:
508+
command:
509+
- /bin/bash
510+
- -c
511+
- /opt/livenessprobe.sh
512+
initialDelaySeconds: 60
513+
periodSeconds: 60
514+
timeoutSeconds: 15
515515
affinity:
516516
nodeAffinity:
517517
requiredDuringSchedulingIgnoredDuringExecution:
@@ -634,7 +634,7 @@ spec:
634634
value: "VALUE_USER_ASSIGNED_IDENTITY_CLIENT_ID_VALUE"
635635
# Add the below environment variable to true only in sidecar enabled regions, else set it to false
636636
- name: SIDECAR_SCRAPING_ENABLED
637-
value: "false"
637+
value: "true"
638638
- name: USING_AAD_MSI_AUTH
639639
value: "false"
640640
securityContext:
@@ -811,7 +811,7 @@ spec:
811811
fieldRef:
812812
fieldPath: status.hostIP
813813
- name: SIDECAR_SCRAPING_ENABLED
814-
value: "false"
814+
value: "true"
815815
# Update this with the user assigned msi client id for omsagent
816816
- name: USER_ASSIGNED_IDENTITY_CLIENT_ID
817817
value: "VALUE_USER_ASSIGNED_IDENTITY_CLIENT_ID_VALUE"

scripts/build/linux/install-build-pre-requisites.sh

+1-1
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ install_go_lang()
1616
sudo tar -xvf go1.15.14.linux-amd64.tar.gz
1717
sudo mv -f go /usr/local
1818
echo "set file permission for go bin"
19-
sudo chmod 777 /usr/local/go/bin
19+
sudo chmod 744 /usr/local/go/bin
2020
echo "installation of go 1.15.14 completed."
2121
echo "installation of go 1.15.14 completed."
2222
fi

source/plugins/go/src/go.mod

+2-2
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@ require (
77
github.com/Azure/go-autorest/autorest/azure/auth v0.5.11
88
github.com/fluent/fluent-bit-go v0.0.0-20171103221316-c4a158a6e3a7
99
github.com/golang/mock v1.4.1
10-
github.com/google/uuid v1.2.0
11-
github.com/microsoft/ApplicationInsights-Go v0.4.3
10+
github.com/google/uuid v1.3.0
11+
github.com/microsoft/ApplicationInsights-Go v0.4.4
1212
github.com/philhofer/fwd v1.1.1 // indirect
1313
github.com/tinylib/msgp v1.1.2
1414
github.com/ugorji/go v1.1.2-0.20180813092308-00b869d2f4a5

source/plugins/go/src/go.sum

+5-2
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,7 @@ github.com/go-openapi/jsonreference v0.19.3/go.mod h1:rjx6GuL8TTa9VaixXglHmQmIL9
106106
github.com/go-openapi/spec v0.19.3/go.mod h1:FpwSN1ksY1eteniUU7X0N/BgJ7a4WvBFVA8Lj9mJglo=
107107
github.com/go-openapi/swag v0.19.2/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
108108
github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
109+
github.com/gofrs/uuid v3.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
109110
github.com/gofrs/uuid v4.2.0+incompatible h1:yyYWMnhkhrKwwr8gAOcOCYxOOscHgDS9yZgBrnJfGa0=
110111
github.com/gofrs/uuid v4.2.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
111112
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
@@ -162,6 +163,8 @@ github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y=
162163
github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
163164
github.com/google/uuid v1.2.0 h1:qJYtXnJRWmpe7m/3XlyhrsLrEURqHRM2kxzoxXqyUDs=
164165
github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
166+
github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
167+
github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
165168
github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
166169
github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
167170
github.com/googleapis/gnostic v0.4.1 h1:DLJCy1n/vrD4HPjOvYcT8aYQXpPIzoRZONaYwyycI+I=
@@ -198,6 +201,8 @@ github.com/mattn/go-ieproxy v0.0.1 h1:qiyop7gCflfhwCzGyeT0gro3sF9AIg9HU98JORTkqf
198201
github.com/mattn/go-ieproxy v0.0.1/go.mod h1:pYabZ6IHcRpFh7vIaLfK7rdcWgFEb3SFJ6/gNWuh88E=
199202
github.com/microsoft/ApplicationInsights-Go v0.4.3 h1:gBuy5rM3o6Zo69QTkq1Ens8wx6sVf+mpgMjjfayiRcw=
200203
github.com/microsoft/ApplicationInsights-Go v0.4.3/go.mod h1:ih0t3h84PdzV1qGeUs89o9wL8eCuwf24M7TZp/nyqXk=
204+
github.com/microsoft/ApplicationInsights-Go v0.4.4 h1:G4+H9WNs6ygSCe6sUyxRc2U81TI5Es90b2t/MwX5KqY=
205+
github.com/microsoft/ApplicationInsights-Go v0.4.4/go.mod h1:fKRUseBqkw6bDiXTs3ESTiU/4YTIHsQS4W3fP2ieF4U=
201206
github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
202207
github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
203208
github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
@@ -232,8 +237,6 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
232237
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
233238
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
234239
github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
235-
github.com/satori/go.uuid v1.2.0 h1:0uYX9dsZ2yD7q2RtLRtPSdGDWzjeM3TbMJP9utgA0ww=
236-
github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
237240
github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
238241
github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
239242
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=

0 commit comments

Comments
 (0)