[release-1.11] sync with upstream to include CVE patches (#472)

* [release-1.11] fix securityContext for Knative Service Pod (user-container and queue-proxy) (knative#14378)

* add seccompProfile to queue container security context

* run as non root by default

* update tests to expect new default run as nonroot

---------

Co-authored-by: Clay Kauzlaric <ckauzlaric@vmware.com>

* Leave a comment which will trigger a new dot release (knative#14500)

* [release-1.11] bump x/net to v0.17 (knative#14516)

* [release-1.11] bump x/net to v1.17

* Re-generate test/config/tls/cert-secret.yaml (knative#14324)

* Run hack/update-codegen.sh --upgrade --release 1.11

* Update secure-pod-defaults patch

---------

Co-authored-by: Knative Prow Robot <automation+prow-robot@knative.team>
Co-authored-by: Clay Kauzlaric <ckauzlaric@vmware.com>
Co-authored-by: Kenjiro Nakayama <nakayamakenjiro@gmail.com>

go.mod

@@ -1,5 +1,9 @@
 module knative.dev/serving
 
+// This comment was added so CI would trigger a point release with a
+// newer version of Go
+// Fixes: https://groups.google.com/g/golang-announce/c/iNNxDTCjZvo
+
 go 1.18
 
 require (
@@ -20,7 +24,7 @@ require (
 	go.uber.org/atomic v1.9.0
 	go.uber.org/automaxprocs v1.4.0
 	go.uber.org/zap v1.19.1
-	golang.org/x/net v0.12.0
+	golang.org/x/net v0.17.0
 	golang.org/x/sync v0.2.0
 	golang.org/x/time v0.3.0
 	google.golang.org/api v0.124.0
@@ -34,8 +38,8 @@ require (
 	k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2
 	knative.dev/caching v0.0.0-20230718155311-24ff72399d90
 	knative.dev/hack v0.0.0-20230712131415-ddae80293c43
-	knative.dev/networking v0.0.0-20230718160410-75dcd54d9510
-	knative.dev/pkg v0.0.0-20230718152110-aef227e72ead
+	knative.dev/networking v0.0.0-20231012062757-a5958051caf8
+	knative.dev/pkg v0.0.0-20231011193800-bd99f2f98be7
 	sigs.k8s.io/yaml v1.3.0
 )
 
@@ -135,12 +139,12 @@ require (
 	github.com/tsenart/go-tsz v0.0.0-20180814235614-0bd30b3df1c3 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
 	go.uber.org/multierr v1.6.0 // indirect
-	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/crypto v0.14.0 // indirect
 	golang.org/x/mod v0.9.0 // indirect
 	golang.org/x/oauth2 v0.8.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
-	golang.org/x/term v0.10.0 // indirect
-	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/sys v0.13.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/tools v0.7.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect

go.sum

@@ -601,8 +601,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220314234659-1baeb1ce4c0b/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
-golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
+golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc=
+golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -684,8 +684,8 @@ golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
-golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
+golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -766,13 +766,13 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220825204002-c680a09ffe64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
-golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
+golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
-golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
+golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -782,8 +782,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
-golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1011,10 +1011,10 @@ knative.dev/caching v0.0.0-20230718155311-24ff72399d90 h1:FTywJXyLNTMA4XbWIXHh+4
 knative.dev/caching v0.0.0-20230718155311-24ff72399d90/go.mod h1:4IprjglzaLM1+/S+7OcMhxL3h15Uh0glFiV4NcJftD8=
 knative.dev/hack v0.0.0-20230712131415-ddae80293c43 h1:3SE06uNfSFGm/5XS+0trbyCUpgsOaBeyhPQU8FPNFz8=
 knative.dev/hack v0.0.0-20230712131415-ddae80293c43/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/networking v0.0.0-20230718160410-75dcd54d9510 h1:eNbWjEkbtGjCqK5TB4S0CjSSDd4PvyXm+w7bM9/zce4=
-knative.dev/networking v0.0.0-20230718160410-75dcd54d9510/go.mod h1:Vngl91M++hqgoGNIjCii7MXnsEeN3kRbGC1aodhFqbk=
-knative.dev/pkg v0.0.0-20230718152110-aef227e72ead h1:2dDzorpKuVZW3Qp7TbirMMq16FbId8f6bacQFX8jXLw=
-knative.dev/pkg v0.0.0-20230718152110-aef227e72ead/go.mod h1:WmrwRV/P+hGHoMraAEfwg6ec+fBTf+Obu41v354Iabc=
+knative.dev/networking v0.0.0-20231012062757-a5958051caf8 h1:oZMbAAXyiDZUYoQ4qEjL6uxXrL1xBVfEyQJx8sP0XEg=
+knative.dev/networking v0.0.0-20231012062757-a5958051caf8/go.mod h1:XwZwqJoLZR92N6F/sj8lHxttnry/Kiz+OgG8+uVuYn0=
+knative.dev/pkg v0.0.0-20231011193800-bd99f2f98be7 h1:y3qbfYX1SuSr/1ysXvKfpV8q/kCwWLWieCUgAhBUHmQ=
+knative.dev/pkg v0.0.0-20231011193800-bd99f2f98be7/go.mod h1:g+UCgSKQ2f15kHYu/V3CPtoKo5F1x/2Y1ot0NSK7gA0=
 pgregory.net/rapid v0.3.3 h1:jCjBsY4ln4Atz78QoBWxUEvAHaFyNDQg9+WU62aCn1U=
 pgregory.net/rapid v0.3.3/go.mod h1:UYpPVyjFHzYBGHIxLFoupi8vwk6rXNzRY9OMvVxFIOU=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=

openshift/patches/010-secure-pod-defaults.patch

@@ -1,8 +1,8 @@
 diff --git a/pkg/apis/serving/v1/revision_defaults.go b/pkg/apis/serving/v1/revision_defaults.go
-index 8acbf3446..48c439b4a 100644
+index 2b3f5f2f2..b0960e6c3 100644
 --- a/pkg/apis/serving/v1/revision_defaults.go
 +++ b/pkg/apis/serving/v1/revision_defaults.go
-@@ -184,21 +184,14 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
+@@ -189,21 +189,14 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
  	if updatedSC.AllowPrivilegeEscalation == nil {
  		updatedSC.AllowPrivilegeEscalation = ptr.Bool(false)
  	}
@@ -26,24 +26,28 @@ index 8acbf3446..48c439b4a 100644
  				needsLowPort = true
  				break
  			}
-@@ -207,7 +200,9 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
+@@ -212,11 +205,9 @@ func (rs *RevisionSpec) defaultSecurityContext(psc *corev1.PodSecurityContext, c
  			updatedSC.Capabilities.Add = []corev1.Capability{"NET_BIND_SERVICE"}
  		}
  	}
 -
+-	if psc.RunAsNonRoot == nil {
 +	if psc.RunAsNonRoot == nil && updatedSC.RunAsNonRoot == nil {
-+		updatedSC.RunAsNonRoot = ptr.Bool(true)
-+	}
+ 		updatedSC.RunAsNonRoot = ptr.Bool(true)
+ 	}
+-
  	if *updatedSC != (corev1.SecurityContext{}) {
  		container.SecurityContext = updatedSC
  	}
 diff --git a/pkg/apis/serving/v1/revision_defaults_test.go b/pkg/apis/serving/v1/revision_defaults_test.go
-index 332fecfb4..401cac325 100644
+index 0fe5e6507..401cac325 100644
 --- a/pkg/apis/serving/v1/revision_defaults_test.go
 +++ b/pkg/apis/serving/v1/revision_defaults_test.go
-@@ -901,9 +901,7 @@ func TestRevisionDefaulting(t *testing.T) {
+@@ -900,11 +900,8 @@ func TestRevisionDefaulting(t *testing.T) {
+ 						ReadinessProbe: defaultProbe,
  						Resources:      defaultResources,
  						SecurityContext: &corev1.SecurityContext{
+-							RunAsNonRoot:             ptr.Bool(true),
  							AllowPrivilegeEscalation: ptr.Bool(false),
 -							SeccompProfile: &corev1.SeccompProfile{
 -								Type: corev1.SeccompProfileTypeRuntimeDefault,
@@ -52,9 +56,11 @@ index 332fecfb4..401cac325 100644
  							Capabilities: &corev1.Capabilities{
  								Drop: []corev1.Capability{"ALL"},
  								Add:  []corev1.Capability{"NET_BIND_SERVICE"},
-@@ -914,9 +912,7 @@ func TestRevisionDefaulting(t *testing.T) {
+@@ -914,11 +911,8 @@ func TestRevisionDefaulting(t *testing.T) {
+ 						Name:      "sidecar",
  						Resources: defaultResources,
  						SecurityContext: &corev1.SecurityContext{
+-							RunAsNonRoot:             ptr.Bool(true),
  							AllowPrivilegeEscalation: ptr.Bool(false),
 -							SeccompProfile: &corev1.SeccompProfile{
 -								Type: corev1.SeccompProfileTypeRuntimeDefault,
@@ -63,9 +69,11 @@ index 332fecfb4..401cac325 100644
  							Capabilities: &corev1.Capabilities{
  								Drop: []corev1.Capability{"ALL"},
  							},
-@@ -926,9 +922,7 @@ func TestRevisionDefaulting(t *testing.T) {
+@@ -927,11 +921,8 @@ func TestRevisionDefaulting(t *testing.T) {
+ 						Name:      "special-sidecar",
  						Resources: defaultResources,
  						SecurityContext: &corev1.SecurityContext{
+-							RunAsNonRoot:             ptr.Bool(true),
  							AllowPrivilegeEscalation: ptr.Bool(true),
 -							SeccompProfile: &corev1.SeccompProfile{
 -								Type: corev1.SeccompProfileTypeRuntimeDefault,
@@ -74,25 +82,35 @@ index 332fecfb4..401cac325 100644
  							Capabilities: &corev1.Capabilities{
  								Add:  []corev1.Capability{"NET_ADMIN"},
  								Drop: []corev1.Capability{},
-@@ -943,6 +937,7 @@ func TestRevisionDefaulting(t *testing.T) {
+@@ -941,12 +932,12 @@ func TestRevisionDefaulting(t *testing.T) {
+ 					InitContainers: []corev1.Container{{
+ 						Name: "special-init",
+ 						SecurityContext: &corev1.SecurityContext{
+-							RunAsNonRoot:             ptr.Bool(true),
+ 							AllowPrivilegeEscalation: ptr.Bool(true),
+ 							SeccompProfile: &corev1.SeccompProfile{
  								Type:             corev1.SeccompProfileTypeLocalhost,
  								LocalhostProfile: ptr.String("special"),
  							},
 +							RunAsNonRoot: ptr.Bool(true),
  							Capabilities: &corev1.Capabilities{
  								Add: []corev1.Capability{"NET_ADMIN"},
  							},
-@@ -1001,6 +996,7 @@ func TestRevisionDefaulting(t *testing.T) {
+@@ -1004,8 +995,8 @@ func TestRevisionDefaulting(t *testing.T) {
+ 						ReadinessProbe: defaultProbe,
  						Resources:      defaultResources,
  						SecurityContext: &corev1.SecurityContext{
+-							RunAsNonRoot:             ptr.Bool(true),
  							AllowPrivilegeEscalation: ptr.Bool(false),
 +							RunAsNonRoot:             ptr.Bool(true),
  							Capabilities: &corev1.Capabilities{
  								Drop: []corev1.Capability{"ALL"},
  							},
-@@ -1010,6 +1006,7 @@ func TestRevisionDefaulting(t *testing.T) {
+@@ -1014,8 +1005,8 @@ func TestRevisionDefaulting(t *testing.T) {
+ 					InitContainers: []corev1.Container{{
  						Name: "init",
  						SecurityContext: &corev1.SecurityContext{
+-							RunAsNonRoot:             ptr.Bool(true),
  							AllowPrivilegeEscalation: ptr.Bool(false),
 +							RunAsNonRoot:             ptr.Bool(true),
  							Capabilities: &corev1.Capabilities{
@@ -112,3 +130,17 @@ index af1498dee..96e4839a9 100644
  }
 
  func TestUnsafePermitted(t *testing.T) {
+diff --git a/pkg/reconciler/revision/resources/queue.go b/pkg/reconciler/revision/resources/queue.go
+index 1fb964a53..b8cd617ef 100644
+--- a/pkg/reconciler/revision/resources/queue.go
++++ b/pkg/reconciler/revision/resources/queue.go
+@@ -86,9 +86,6 @@ var (
+ 		Capabilities: &corev1.Capabilities{
+ 			Drop: []corev1.Capability{"ALL"},
+ 		},
+-		SeccompProfile: &corev1.SeccompProfile{
+-			Type: corev1.SeccompProfileTypeRuntimeDefault,
+-		},
+ 	}
+ )
+