kubeadm: Fix panic in isCoreDNSVersionSupported

A narrow assumption of what is contained in the `imageID` fields for the CoreDNS pods causes a panic upon upgrade. Fix this by using a proper regex to match a trailing SHA256 image digest in `imageID` or return an error if it cannot find it. Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
2025-07-23 11:50:44 +00:00 · 2020-03-26 20:24:21 +02:00 · 2020-03-26 20:24:21 +02:00 · fbfd44f337
commit fbfd44f337
parent 9a4b30099e
1 changed files with 12 additions and 2 deletions
--- a/cmd/kubeadm/app/phases/addons/dns/dns.go
+++ b/cmd/kubeadm/app/phases/addons/dns/dns.go
@ -21,6 +21,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
+	"regexp"
 	"strings"

 	"github.com/caddyserver/caddy/caddyfile"
@ -397,6 +398,11 @@ func isCoreDNSConfigMapMigrationRequired(corefile, currentInstalledCoreDNSVersio
 	return isMigrationRequired, nil
 }

+var (
+	// imageDigestMatcher is used to match the SHA256 digest from the ImageID of the CoreDNS pods
+	imageDigestMatcher = regexp.MustCompile(`^.*(?i:sha256:([[:alnum:]]{64}))$`)
+)
+
 func isCoreDNSVersionSupported(client clientset.Interface) (bool, error) {
 	isValidVersion := true
 	coreDNSPodList, err := client.CoreV1().Pods(metav1.NamespaceSystem).List(
@ -410,8 +416,12 @@ func isCoreDNSVersionSupported(client clientset.Interface) (bool, error) {
 	}

 	for _, pod := range coreDNSPodList.Items {
-		imageID := strings.Split(pod.Status.ContainerStatuses[0].ImageID, ":")
-		if !migration.Released(imageID[2]) {
+		imageID := imageDigestMatcher.FindStringSubmatch(pod.Status.ContainerStatuses[0].ImageID)
+		if len(imageID) != 2 {
+			return false, errors.Errorf("unable to match SHA256 digest ID in %q", pod.Status.ContainerStatuses[0].ImageID)
+		}
+		// The actual digest should be at imageID[1]
+		if !migration.Released(imageID[1]) {
 			isValidVersion = false
 		}
 	}