feat: verify binary checksums before execution#797
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
056d64b to
ab1b743
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds a “time-of-use” executable integrity check that re-hashes installed sandbox binaries right before they’re executed (or before systemd service startup), closing the post-install tampering/TOCTOU gap that install-time verification can’t cover.
Changes:
- Introduces
software.VerifyExecutables(artifactName)(plus helpers) to verify on-disk binaries against catalog checksums, resolving expected checksums using the version recorded in on-disk state. - Wires reusable
VerifyExecutablesStepinto workflows before systemd starts for kubelet, cri-o, and teleport, and adds inline verification for directly executed binaries (kubeadm/kubectl/cilium/teleport configure, plus cilium acceleration migration). - Adds state-reader support to read recorded per-component software versions without loading full state, plus unit tests for the verifier and workflow-step behavior.
Reviewed changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pkg/software/teleport_node_agent_installer.go | Adds pre-exec verification before running teleport configure. |
| pkg/software/teleport_node_agent_installer_test.go | Tests that configure aborts when verification fails. |
| pkg/software/exec_verifier.go | Implements catalog/state-aware pre-exec checksum verification and sandbox path resolution. |
| pkg/software/exec_verifier_test.go | Unit tests for verifier core logic and path mapping. |
| pkg/software/crio_installer.go | Extracts CrioArtifactName and shared CRI-O binary path mapping helper. |
| internal/workflows/steps/step_verify_executables.go | Adds reusable workflow step to verify binaries before service start. |
| internal/workflows/steps/step_verify_executables_test.go | Tests success/failure behavior of the new verification step. |
| internal/workflows/steps/step_teleport.go | Inserts verification step before starting teleport systemd service. |
| internal/workflows/steps/step_kubeadm.go | Adds inline verification before invoking kubectl/kubeadm (incl. rollback) and best-effort reset. |
| internal/workflows/steps/step_kubeadm_test.go | Pins expected behavior when kubeadm/kubectl verification fails. |
| internal/workflows/steps/step_cilium.go | Adds inline verification before invoking cilium (install + rollback). |
| internal/workflows/steps/step_cilium_test.go | Pins expected behavior when cilium verification fails. |
| internal/workflows/migration_cilium_acceleration.go | Adds checksum verification before executing cilium upgrade during migration. |
| internal/workflows/migration_cilium_acceleration_test.go | Tests that migration aborts before upgrade when verification fails. |
| internal/workflows/cluster.go | Inserts verification step before kubelet/cri-o systemd service setup. |
| internal/state/state_reader.go | Adds ReadSoftwareVersionFromDisk and YAML shape for extracting per-component versions. |
| internal/state/state_reader_test.go | Tests version extraction via key/name matching logic. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ab1b743 to
4203872
Compare
Signed-off-by: Rado M <radkomih@gmail.com>
4203872 to
e65e335
Compare
alex-au
left a comment
There was a problem hiding this comment.
Looks great, some nitpicks in the comment. Can I also confirm if the "obsolete CiliumHostLegacyRoutingMigration" has been removed as stated in the PR description?
| Msg("Applying cilium-config (loadBalancer.acceleration=disabled) to existing cluster via 'cilium upgrade'") | ||
|
|
||
| // Verify the cilium binary before executing it. | ||
| if err := verifyCiliumExecutable(); err != nil { |
There was a problem hiding this comment.
This is great, should we do the same before L124 in migration_cilium_host_legacy_routing.go?
Description
This pull request changes the following:
Related Issues