Files
kubernetes/staging
Davanum Srinivas c825d80bbf Update security-critical authentication and protobuf dependencies
This PR updates security-critical dependencies addressing authentication
and data parsing vulnerabilities.

**Authentication Security:**
- github.com/coreos/go-oidc: v2.3.0 -> v2.5.0
  - Security fix: Now verifies token signature BEFORE validating payload
  - Prevents potential processing of tampered tokens before cryptographic
    verification

- github.com/cyphar/filepath-securejoin: v0.6.0 -> v0.6.1
  - Security fix: Fixed seccomp fallback logic - library now properly falls
    back to safer O_PATH resolver when openat2(2) is denied by seccomp-bpf
  - Fixed file descriptor leak in openat2 wrapper during RESOLVE_IN_ROOT

- cyphar.com/go-pathrs: v0.2.1 -> v0.2.2
  - Companion update to filepath-securejoin

**Protobuf Security:**
- google.golang.org/protobuf: v1.36.8 -> v1.36.11
  - Security fix: Added recursion limit check in lazy decoding validation
  - Prevents potential stack exhaustion attacks via maliciously crafted
    protobuf messages
  - Also adds support for URL chars in type URLs in text-format

These updates are critical for:
- OIDC authentication in kube-apiserver
- Container filesystem path resolution (used by container runtimes)
- Protobuf message parsing throughout the codebase

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2026-01-13 16:56:16 -05:00
..
2025-12-05 13:59:29 +01:00

External Repository Staging Area

This directory is the staging area for packages that have been split to their own repository. The content here will be periodically published to respective top-level k8s.io repositories.

Repositories currently staged here:

The code in the staging/ directory is authoritative, i.e. the only copy of the code. You can directly modify such code.

Using staged repositories from Kubernetes code

Kubernetes code uses the repositories in this directory via a Go workspace and module replace statements. For example, when Kubernetes code imports a package from the k8s.io/client-go repository, that import is resolved to staging/src/k8s.io/client-go relative to the project root:

// pkg/example/some_code.go
package example

import (
  "k8s.io/client-go/dynamic" // resolves to staging/src/k8s.io/client-go/dynamic
)

Creating a new repository in staging

Adding the staging repository in kubernetes/kubernetes:

  1. Send an email to the SIG Architecture mailing list and the mailing list of the SIG which would own the repo requesting approval for creating the staging repository.

  2. Once approval has been granted, create the new staging repository.

  3. Update import-restrictions.yaml to add the list of other staging repos that this new repo can import.

  4. Add all mandatory template files to the staging repo as mentioned in https://github.com/kubernetes/kubernetes-template-project.

  5. Make sure that the .github/PULL_REQUEST_TEMPLATE.md and CONTRIBUTING.md files mention that PRs are not directly accepted to the repo.

  6. Ensure that docs.go file is added. Refer to #kubernetes/kubernetes#91354 for reference.

  7. NOTE: Do not edit go.mod or go.sum in the new repo (staging/src/k8s.io//) manually. Run the following instead:

  ./hack/update-vendor.sh

Creating the published repository

  1. Create an issue in the kubernetes/org repo to request creation of the respective published repository in the Kubernetes org. The published repository must have an initial empty commit. It also needs specific access rules and branch settings. See #kubernetes/org#58 for an example.

  2. Setup branch protection and enable access to the stage-bots team by adding the repo in prow/config.yaml. See #kubernetes/test-infra#9292 for an example.

  3. Once the repository has been created in the Kubernetes org, update the publishing-bot to publish the staging repository by updating:

    • rules.yaml: Make sure that the list of dependencies reflects the staging repos in the Godeps.json file.

    • repos.sh: Add the staging repo in the list of repos to be published.

  4. Add the staging and published repositories as a subproject for the SIG that owns the repos in sigs.yaml.

  5. Add the repo to the list of staging repos in this README.md file.