From c9ad88301ed53733589adc6ade90ffc6e977e668 Mon Sep 17 00:00:00 2001 From: Brendan Burns Date: Thu, 16 Jun 2022 22:09:26 +0000 Subject: [PATCH 1/2] Add interactive configuration to exec provider. --- kubernetes/base/config/exec_provider.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/kubernetes/base/config/exec_provider.py b/kubernetes/base/config/exec_provider.py index 08f0af2fb..3f9c8ca0d 100644 --- a/kubernetes/base/config/exec_provider.py +++ b/kubernetes/base/config/exec_provider.py @@ -57,11 +57,12 @@ class ExecProvider(object): self.cwd = cwd or None def run(self, previous_response=None): + is_interactive = sys.stdout.isatty() kubernetes_exec_info = { 'apiVersion': self.api_version, 'kind': 'ExecCredential', 'spec': { - 'interactive': sys.stdout.isatty() + 'interactive': is_interactive } } if previous_response: @@ -70,7 +71,8 @@ class ExecProvider(object): process = subprocess.Popen( self.args, stdout=subprocess.PIPE, - stderr=subprocess.PIPE, + stderr=sys.stderr if is_interactive else subprocess.PIPE, + stdin=sys.stdin if is_interactive else None, cwd=self.cwd, env=self.env, universal_newlines=True) From 51badbcdbb3a905b9f79a60fc231ce69ec7e4c4a Mon Sep 17 00:00:00 2001 From: Erich Fussi Date: Thu, 7 Jul 2022 21:21:43 +0000 Subject: [PATCH 2/2] Add 'usedforsecurity=False' parameter to md5 call This allows to execute in a restricted environment, like a FIPS-enabled Kubernetes cluster. See https://docs.python.org/3/library/hashlib.html#hash-algorithms: > False indicates that the hashing algorithm is [used] as a > non-cryptographic one-way compression function. --- kubernetes/base/dynamic/discovery.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/base/dynamic/discovery.py b/kubernetes/base/dynamic/discovery.py index dbf94101b..4acf7cf24 100644 --- a/kubernetes/base/dynamic/discovery.py +++ b/kubernetes/base/dynamic/discovery.py @@ -45,7 +45,7 @@ class Discoverer(object): default_cache_id = self.client.configuration.host if six.PY3: default_cache_id = default_cache_id.encode('utf-8') - default_cachefile_name = 'osrcp-{0}.json'.format(hashlib.md5(default_cache_id).hexdigest()) + default_cachefile_name = 'osrcp-{0}.json'.format(hashlib.md5(default_cache_id, usedforsecurity=False).hexdigest()) self.__cache_file = cache_file or os.path.join(tempfile.gettempdir(), default_cachefile_name) self.__init_cache()