kubernetes: CVE-2020-8551 and CVE-2020-8552

Backport the CVE patches from the upstream: https://github.com/kubernetes/kubernetes.git Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
2025-07-19 20:59:41 +02:00 · 2020-05-12 01:52:32 -07:00 · 2020-05-12 01:52:32 -07:00 · 1a8a7996a1
commit 1a8a7996a1
parent 1bb5156095
3 changed files with 475 additions and 0 deletions
--- a/recipes-containers/kubernetes/kubernetes/CVE-2020-8551.patch
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8551.patch
@ -0,0 +1,303 @@
+From 9bae583cb0c46380866c3df5d7a6d26aac335818 Mon Sep 17 00:00:00 2001
+From: Walter Fender <wfender@google.com>
+Date: Thu, 6 Feb 2020 19:10:18 -0800
+Subject: [PATCH] Add code to fix kubelet/metrics memory issue.
+
+Bucketing url paths based on concept/handling.
+Bucketing code placed by handling code to encourage usage.
+Added unit tests.
+Fix format.
+
+CVE: CVE-2020-8551
+Upstream-Status: Backport [https://github.com/kubernetes/kubernetes.git]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ pkg/kubelet/server/server.go      | 56 ++++++++++++++++++++++++++++---
+ pkg/kubelet/server/server_test.go | 54 ++++++++++++++++++++++++++++-
+ 2 files changed, 105 insertions(+), 5 deletions(-)
+
+diff --git a/src/import/pkg/kubelet/server/server.go b/src/import/pkg/kubelet/server/server.go
+index c1f1975fe43..f924304fc12 100644
+--- a/src/import/pkg/kubelet/server/server.go
+++ b/src/import/pkg/kubelet/server/server.go
+@@ -90,6 +90,7 @@ type Server struct {
+ 	auth                       AuthInterface
+ 	host                       HostInterface
+ 	restfulCont                containerInterface
+	metricsBuckets             map[string]bool
+ 	resourceAnalyzer           stats.ResourceAnalyzer
+ 	redirectContainerStreaming bool
+ }
+@@ -224,6 +225,7 @@ func NewServer(
+ 		resourceAnalyzer:           resourceAnalyzer,
+ 		auth:                       auth,
+ 		restfulCont:                &filteringContainer{Container: restful.NewContainer()},
+		metricsBuckets:             make(map[string]bool),
+ 		redirectContainerStreaming: redirectContainerStreaming,
+ 	}
+ 	if auth != nil {
+@@ -279,14 +281,32 @@ func (s *Server) InstallAuthFilter() {
+ 	})
+ }
+ 
+// addMetricsBucketMatcher adds a regexp matcher and the relevant bucket to use when
+// it matches. Please be aware this is not thread safe and should not be used dynamically
+func (s *Server) addMetricsBucketMatcher(bucket string) {
+	s.metricsBuckets[bucket] = true
+}
+
+// getMetricBucket find the appropriate metrics reporting bucket for the given path
+func (s *Server) getMetricBucket(path string) string {
+	root := getURLRootPath(path)
+	if s.metricsBuckets[root] == true {
+		return root
+	}
+	return "Invalid path"
+}
+
+ // InstallDefaultHandlers registers the default set of supported HTTP request
+ // patterns with the restful Container.
+ func (s *Server) InstallDefaultHandlers(enableCAdvisorJSONEndpoints bool) {
+	s.addMetricsBucketMatcher("healthz")
+ 	healthz.InstallHandler(s.restfulCont,
+ 		healthz.PingHealthz,
+ 		healthz.LogHealthz,
+ 		healthz.NamedCheck("syncloop", s.syncLoopHealthCheck),
+ 	)
+
+	s.addMetricsBucketMatcher("pods")
+ 	ws := new(restful.WebService)
+ 	ws.
+ 		Path("/pods").
+@@ -296,7 +316,14 @@ func (s *Server) InstallDefaultHandlers(enableCAdvisorJSONEndpoints bool) {
+ 		Operation("getPods"))
+ 	s.restfulCont.Add(ws)
+ 
+	s.addMetricsBucketMatcher("stats")
+ 	s.restfulCont.Add(stats.CreateHandlers(statsPath, s.host, s.resourceAnalyzer, enableCAdvisorJSONEndpoints))
+
+	s.addMetricsBucketMatcher("metrics")
+	s.addMetricsBucketMatcher("metrics/cadvisor")
+	s.addMetricsBucketMatcher("metrics/probes")
+	s.addMetricsBucketMatcher("metrics/resource/v1alpha1")
+	s.addMetricsBucketMatcher("metrics/resource")
+ 	//lint:ignore SA1019 https://github.com/kubernetes/enhancements/issues/1206
+ 	s.restfulCont.Handle(metricsPath, legacyregistry.Handler())
+ 
+@@ -316,6 +346,7 @@ func (s *Server) InstallDefaultHandlers(enableCAdvisorJSONEndpoints bool) {
+ 		promhttp.HandlerFor(r, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError}),
+ 	)
+ 
+	s.addMetricsBucketMatcher("metrics/resource/v1alpha1")
+ 	v1alpha1ResourceRegistry := prometheus.NewRegistry()
+ 	v1alpha1ResourceRegistry.MustRegister(stats.NewPrometheusResourceMetricCollector(s.resourceAnalyzer, v1alpha1.Config()))
+ 	s.restfulCont.Handle(path.Join(resourceMetricsPathPrefix, v1alpha1.Version),
+@@ -325,11 +357,14 @@ func (s *Server) InstallDefaultHandlers(enableCAdvisorJSONEndpoints bool) {
+ 
+ 	p := compbasemetrics.NewKubeRegistry()
+ 	compbasemetrics.RegisterProcessStartTime(p.RawRegister)
+
+	s.addMetricsBucketMatcher("metrics/probes")
+ 	p.MustRegister(prober.ProberResults)
+ 	s.restfulCont.Handle(proberMetricsPath,
+ 		promhttp.HandlerFor(p, promhttp.HandlerOpts{ErrorHandling: promhttp.ContinueOnError}),
+ 	)
+ 
+	s.addMetricsBucketMatcher("spec")
+ 	if enableCAdvisorJSONEndpoints {
+ 		ws := new(restful.WebService)
+ 		ws.
+@@ -349,6 +384,7 @@ const pprofBasePath = "/debug/pprof/"
+ func (s *Server) InstallDebuggingHandlers(criHandler http.Handler) {
+ 	klog.Infof("Adding debug handlers to kubelet server.")
+ 
+	s.addMetricsBucketMatcher("run")
+ 	ws := new(restful.WebService)
+ 	ws.
+ 		Path("/run")
+@@ -360,6 +396,7 @@ func (s *Server) InstallDebuggingHandlers(criHandler http.Handler) {
+ 		Operation("getRun"))
+ 	s.restfulCont.Add(ws)
+ 
+	s.addMetricsBucketMatcher("exec")
+ 	ws = new(restful.WebService)
+ 	ws.
+ 		Path("/exec")
+@@ -377,6 +414,7 @@ func (s *Server) InstallDebuggingHandlers(criHandler http.Handler) {
+ 		Operation("getExec"))
+ 	s.restfulCont.Add(ws)
+ 
+	s.addMetricsBucketMatcher("attach")
+ 	ws = new(restful.WebService)
+ 	ws.
+ 		Path("/attach")
+@@ -394,6 +432,7 @@ func (s *Server) InstallDebuggingHandlers(criHandler http.Handler) {
+ 		Operation("getAttach"))
+ 	s.restfulCont.Add(ws)
+ 
+	s.addMetricsBucketMatcher("portForward")
+ 	ws = new(restful.WebService)
+ 	ws.
+ 		Path("/portForward")
+@@ -411,6 +450,7 @@ func (s *Server) InstallDebuggingHandlers(criHandler http.Handler) {
+ 		Operation("getPortForward"))
+ 	s.restfulCont.Add(ws)
+ 
+	s.addMetricsBucketMatcher("logs")
+ 	ws = new(restful.WebService)
+ 	ws.
+ 		Path(logsPath)
+@@ -423,6 +463,7 @@ func (s *Server) InstallDebuggingHandlers(criHandler http.Handler) {
+ 		Param(ws.PathParameter("logpath", "path to the log").DataType("string")))
+ 	s.restfulCont.Add(ws)
+ 
+	s.addMetricsBucketMatcher("containerLogs")
+ 	ws = new(restful.WebService)
+ 	ws.
+ 		Path("/containerLogs")
+@@ -431,8 +472,10 @@ func (s *Server) InstallDebuggingHandlers(criHandler http.Handler) {
+ 		Operation("getContainerLogs"))
+ 	s.restfulCont.Add(ws)
+ 
+	s.addMetricsBucketMatcher("configz")
+ 	configz.InstallHandler(s.restfulCont)
+ 
+	s.addMetricsBucketMatcher("debug")
+ 	handlePprofEndpoint := func(req *restful.Request, resp *restful.Response) {
+ 		name := strings.TrimPrefix(req.Request.URL.Path, pprofBasePath)
+ 		switch name {
+@@ -448,7 +491,6 @@ func (s *Server) InstallDebuggingHandlers(criHandler http.Handler) {
+ 			pprof.Index(resp, req.Request)
+ 		}
+ 	}
+-
+ 	// Setup pprof handlers.
+ 	ws = new(restful.WebService).Path(pprofBasePath)
+ 	ws.Route(ws.GET("/{subpath:*}").To(func(req *restful.Request, resp *restful.Response) {
+@@ -461,6 +503,7 @@ func (s *Server) InstallDebuggingHandlers(criHandler http.Handler) {
+ 	s.restfulCont.Handle("/debug/flags/v", routes.StringFlagPutHandler(logs.GlogSetter))
+ 
+ 	// The /runningpods endpoint is used for testing only.
+	s.addMetricsBucketMatcher("runningpods")
+ 	ws = new(restful.WebService)
+ 	ws.
+ 		Path("/runningpods/").
+@@ -470,6 +513,7 @@ func (s *Server) InstallDebuggingHandlers(criHandler http.Handler) {
+ 		Operation("getRunningPods"))
+ 	s.restfulCont.Add(ws)
+ 
+	s.addMetricsBucketMatcher("cri")
+ 	if criHandler != nil {
+ 		s.restfulCont.Handle("/cri/", criHandler)
+ 	}
+@@ -481,6 +525,14 @@ func (s *Server) InstallDebuggingDisabledHandlers() {
+ 		http.Error(w, "Debug endpoints are disabled.", http.StatusMethodNotAllowed)
+ 	})
+ 
+	s.addMetricsBucketMatcher("run")
+	s.addMetricsBucketMatcher("exec")
+	s.addMetricsBucketMatcher("attach")
+	s.addMetricsBucketMatcher("portForward")
+	s.addMetricsBucketMatcher("containerLogs")
+	s.addMetricsBucketMatcher("runningpods")
+	s.addMetricsBucketMatcher("pprof")
+	s.addMetricsBucketMatcher("logs")
+ 	paths := []string{
+ 		"/run/", "/exec/", "/attach/", "/portForward/", "/containerLogs/",
+ 		"/runningpods/", pprofBasePath, logsPath}
+@@ -814,10 +849,10 @@ func (s *Server) getPortForward(request *restful.Request, response *restful.Resp
+ 	proxyStream(response.ResponseWriter, request.Request, url)
+ }
+ 
+-// trimURLPath trims a URL path.
+// getURLRootPath trims a URL path.
+ // For paths in the format of "/metrics/xxx", "metrics/xxx" is returned;
+ // For all other paths, the first part of the path is returned.
+-func trimURLPath(path string) string {
+func getURLRootPath(path string) string {
+ 	parts := strings.SplitN(strings.TrimPrefix(path, "/"), "/", 3)
+ 	if len(parts) == 0 {
+ 		return path
+@@ -865,7 +900,7 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, req *http.Request) {
+ 		serverType = "readwrite"
+ 	}
+ 
+-	method, path := req.Method, trimURLPath(req.URL.Path)
+	method, path := req.Method, s.getMetricBucket(req.URL.Path)
+ 
+ 	longRunning := strconv.FormatBool(isLongRunningRequest(path))
+ 
+diff --git a/src/import/pkg/kubelet/server/server_test.go b/src/import/pkg/kubelet/server/server_test.go
+index 4761d21afb7..a95e5d19f0b 100644
+--- a/src/import/pkg/kubelet/server/server_test.go
+++ b/src/import/pkg/kubelet/server/server_test.go
+@@ -1612,6 +1612,58 @@ func TestCRIHandler(t *testing.T) {
+ 	assert.Equal(t, query, fw.criHandler.RequestReceived.URL.RawQuery)
+ }
+ 
+func TestMetricBuckets(t *testing.T) {
+	tests := map[string]struct {
+		url    string
+		bucket string
+	}{
+		"healthz endpoint":                {url: "/healthz", bucket: "healthz"},
+		"attach":                          {url: "/attach/podNamespace/podID/containerName", bucket: "attach"},
+		"attach with uid":                 {url: "/attach/podNamespace/podID/uid/containerName", bucket: "attach"},
+		"configz":                         {url: "/configz", bucket: "configz"},
+		"containerLogs":                   {url: "/containerLogs/podNamespace/podID/containerName", bucket: "containerLogs"},
+		"cri":                             {url: "/cri/", bucket: "cri"},
+		"cri with sub":                    {url: "/cri/foo", bucket: "cri"},
+		"debug v flags":                   {url: "/debug/flags/v", bucket: "debug"},
+		"pprof with sub":                  {url: "/debug/pprof/subpath", bucket: "debug"},
+		"exec":                            {url: "/exec/podNamespace/podID/containerName", bucket: "exec"},
+		"exec with uid":                   {url: "/exec/podNamespace/podID/uid/containerName", bucket: "exec"},
+		"healthz":                         {url: "/healthz/", bucket: "healthz"},
+		"healthz log sub":                 {url: "/healthz/log", bucket: "healthz"},
+		"healthz ping":                    {url: "/healthz/ping", bucket: "healthz"},
+		"healthz sync loop":               {url: "/healthz/syncloop", bucket: "healthz"},
+		"logs":                            {url: "/logs/", bucket: "logs"},
+		"logs with path":                  {url: "/logs/logpath", bucket: "logs"},
+		"metrics":                         {url: "/metrics", bucket: "metrics"},
+		"metrics cadvisor sub":            {url: "/metrics/cadvisor", bucket: "metrics/cadvisor"},
+		"metrics probes sub":              {url: "/metrics/probes", bucket: "metrics/probes"},
+		"metrics resource v1alpha1":       {url: "/metrics/resource/v1alpha1", bucket: "metrics/resource"},
+		"metrics resource sub":            {url: "/metrics/resource", bucket: "metrics/resource"},
+		"pods":                            {url: "/pods/", bucket: "pods"},
+		"portForward":                     {url: "/portForward/podNamespace/podID", bucket: "portForward"},
+		"portForward with uid":            {url: "/portForward/podNamespace/podID/uid", bucket: "portForward"},
+		"run":                             {url: "/run/podNamespace/podID/containerName", bucket: "run"},
+		"run with uid":                    {url: "/run/podNamespace/podID/uid/containerName", bucket: "run"},
+		"runningpods":                     {url: "/runningpods/", bucket: "runningpods"},
+		"spec":                            {url: "/spec/", bucket: "spec"},
+		"stats":                           {url: "/stats/", bucket: "stats"},
+		"stats container sub":             {url: "/stats/container", bucket: "stats"},
+		"stats summary sub":               {url: "/stats/summary", bucket: "stats"},
+		"stats containerName with uid":    {url: "/stats/namespace/podName/uid/containerName", bucket: "stats"},
+		"stats containerName":             {url: "/stats/podName/containerName", bucket: "stats"},
+		"invalid path":                    {url: "/junk", bucket: "Invalid path"},
+		"invalid path starting with good": {url: "/healthzjunk", bucket: "Invalid path"},
+	}
+	fw := newServerTest()
+	defer fw.testHTTPServer.Close()
+
+	for _, test := range tests {
+		path := test.url
+		bucket := test.bucket
+		require.Equal(t, fw.serverUnderTest.getMetricBucket(path), bucket)
+	}
+}
+
+ func TestDebuggingDisabledHandlers(t *testing.T) {
+ 	fw := newServerTestWithDebug(false, false, nil)
+ 	defer fw.testHTTPServer.Close()
+@@ -1685,6 +1737,6 @@ func TestTrimURLPath(t *testing.T) {
+ 	}
+ 
+ 	for _, test := range tests {
+-		assert.Equal(t, test.expected, trimURLPath(test.path), fmt.Sprintf("path is: %s", test.path))
+		assert.Equal(t, test.expected, getURLRootPath(test.path), fmt.Sprintf("path is: %s", test.path))
+ 	}
+ }
+-- 
+2.17.0
+
--- a/recipes-containers/kubernetes/kubernetes/CVE-2020-8552.patch
+++ b/recipes-containers/kubernetes/kubernetes/CVE-2020-8552.patch
@ -0,0 +1,170 @@
+From cc3190968b1f14ddf4067abef849fc41bd6068dc Mon Sep 17 00:00:00 2001
+From: Han Kang <hankang@google.com>
+Date: Wed, 29 Jan 2020 12:25:55 -0800
+Subject: [PATCH] remove client label from apiserver request count metric since
+ it is unbounded
+
+Change-Id: I3a9eacebc9d9dc9ed6347260d9378cdcb5743431
+
+CVE: CVE-2020-8552
+Upstream-Status: Backport [Cherry-picked from https://github.com/kubernetes/kubernetes.git tag:v1.18.0]
+Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
+---
+ .../apiserver/pkg/endpoints/metrics/BUILD     |  8 ---
+ .../pkg/endpoints/metrics/metrics.go          | 21 ++------
+ .../pkg/endpoints/metrics/metrics_test.go     | 54 -------------------
+ 3 files changed, 3 insertions(+), 80 deletions(-)
+ delete mode 100644 staging/src/k8s.io/apiserver/pkg/endpoints/metrics/metrics_test.go
+
+diff --git a/src/import/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/BUILD b/src/import/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/BUILD
+index 8d13a34eadc..8abb3d1a611 100644
+--- a/src/import/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/BUILD
+++ b/src/import/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/BUILD
+@@ -3,13 +3,6 @@ package(default_visibility = ["//visibility:public"])
+ load(
+     "@io_bazel_rules_go//go:def.bzl",
+     "go_library",
+-    "go_test",
+-)
+-
+-go_test(
+-    name = "go_default_test",
+-    srcs = ["metrics_test.go"],
+-    embed = [":go_default_library"],
+ )
+ 
+ go_library(
+@@ -20,7 +13,6 @@ go_library(
+     deps = [
+         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1/validation:go_default_library",
+         "//staging/src/k8s.io/apimachinery/pkg/types:go_default_library",
+-        "//staging/src/k8s.io/apimachinery/pkg/util/net:go_default_library",
+         "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
+         "//staging/src/k8s.io/apiserver/pkg/endpoints/request:go_default_library",
+         "//staging/src/k8s.io/apiserver/pkg/features:go_default_library",
+diff --git a/src/import/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go b/src/import/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go
+index f4e02fbb6a8..c79efdef4e3 100644
+--- a/src/import/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go
+++ b/src/import/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/metrics.go
+@@ -29,7 +29,6 @@ import (
+ 
+ 	"k8s.io/apimachinery/pkg/apis/meta/v1/validation"
+ 	"k8s.io/apimachinery/pkg/types"
+-	utilnet "k8s.io/apimachinery/pkg/util/net"
+ 	utilsets "k8s.io/apimachinery/pkg/util/sets"
+ 	"k8s.io/apiserver/pkg/endpoints/request"
+ 	"k8s.io/apiserver/pkg/features"
+@@ -66,14 +65,14 @@ var (
+ 	requestCounter = compbasemetrics.NewCounterVec(
+ 		&compbasemetrics.CounterOpts{
+ 			Name:           "apiserver_request_total",
+-			Help:           "Counter of apiserver requests broken out for each verb, dry run value, group, version, resource, scope, component, client, and HTTP response contentType and code.",
+			Help:           "Counter of apiserver requests broken out for each verb, dry run value, group, version, resource, scope, component, and HTTP response contentType and code.",
+ 			StabilityLevel: compbasemetrics.ALPHA,
+ 		},
+ 		// The label_name contentType doesn't follow the label_name convention defined here:
+ 		// https://github.com/kubernetes/community/blob/master/contributors/devel/sig-instrumentation/instrumentation.md
+ 		// But changing it would break backwards compatibility. Future label_names
+ 		// should be all lowercase and separated by underscores.
+-		[]string{"verb", "dry_run", "group", "version", "resource", "subresource", "scope", "component", "client", "contentType", "code"},
+		[]string{"verb", "dry_run", "group", "version", "resource", "subresource", "scope", "component", "contentType", "code"},
+ 	)
+ 	deprecatedRequestCounter = compbasemetrics.NewCounterVec(
+ 		&compbasemetrics.CounterOpts{
+@@ -243,11 +242,10 @@ func RecordLongRunning(req *http.Request, requestInfo *request.RequestInfo, comp
+ func MonitorRequest(req *http.Request, verb, group, version, resource, subresource, scope, component, contentType string, httpCode, respSize int, elapsed time.Duration) {
+ 	reportedVerb := cleanVerb(verb, req)
+ 	dryRun := cleanDryRun(req.URL)
+-	client := cleanUserAgent(utilnet.GetHTTPClient(req))
+ 	elapsedMicroseconds := float64(elapsed / time.Microsecond)
+ 	elapsedSeconds := elapsed.Seconds()
+-	requestCounter.WithLabelValues(reportedVerb, dryRun, group, version, resource, subresource, scope, component, client, contentType, codeToString(httpCode)).Inc()
+-	deprecatedRequestCounter.WithLabelValues(reportedVerb, group, version, resource, subresource, scope, component, client, contentType, codeToString(httpCode)).Inc()
+	requestCounter.WithLabelValues(reportedVerb, dryRun, group, version, resource, subresource, scope, component, contentType, codeToString(httpCode)).Inc()
+	deprecatedRequestCounter.WithLabelValues(reportedVerb, group, version, resource, subresource, scope, component, contentType, codeToString(httpCode)).Inc()
+ 	requestLatencies.WithLabelValues(reportedVerb, dryRun, group, version, resource, subresource, scope, component).Observe(elapsedSeconds)
+ 	deprecatedRequestLatencies.WithLabelValues(reportedVerb, group, version, resource, subresource, scope, component).Observe(elapsedMicroseconds)
+ 	deprecatedRequestLatenciesSummary.WithLabelValues(reportedVerb, group, version, resource, subresource, scope, component).Observe(elapsedMicroseconds)
+@@ -355,19 +353,6 @@ func cleanDryRun(u *url.URL) string {
+ 	return strings.Join(utilsets.NewString(dryRun...).List(), ",")
+ }
+ 
+-func cleanUserAgent(ua string) string {
+-	// We collapse all "web browser"-type user agents into one "browser" to reduce metric cardinality.
+-	if strings.HasPrefix(ua, "Mozilla/") {
+-		return "Browser"
+-	}
+-	// If an old "kubectl.exe" has passed us its full path, we discard the path portion.
+-	if kubectlExeRegexp.MatchString(ua) {
+-		// avoid an allocation
+-		ua = kubectlExeRegexp.ReplaceAllString(ua, "$1")
+-	}
+-	return ua
+-}
+-
+ // ResponseWriterDelegator interface wraps http.ResponseWriter to additionally record content-length, status-code, etc.
+ type ResponseWriterDelegator struct {
+ 	http.ResponseWriter
+diff --git a/src/import/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/metrics_test.go b/src/import/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/metrics_test.go
+deleted file mode 100644
+index 4c0a8aa5d27..00000000000
+--- a/src/import/staging/src/k8s.io/apiserver/pkg/endpoints/metrics/metrics_test.go
+++ /dev/null
+@@ -1,54 +0,0 @@
+-/*
+-Copyright 2015 The Kubernetes Authors.
+-
+-Licensed under the Apache License, Version 2.0 (the "License");
+-you may not use this file except in compliance with the License.
+-You may obtain a copy of the License at
+-
+-    http://www.apache.org/licenses/LICENSE-2.0
+-
+-Unless required by applicable law or agreed to in writing, software
+-distributed under the License is distributed on an "AS IS" BASIS,
+-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+-See the License for the specific language governing permissions and
+-limitations under the License.
+-*/
+-
+-package metrics
+-
+-import "testing"
+-
+-func TestCleanUserAgent(t *testing.T) {
+-	panicBuf := []byte{198, 73, 129, 133, 90, 216, 104, 29, 13, 134, 209, 233, 30, 0, 22}
+-
+-	for _, tc := range []struct {
+-		In  string
+-		Out string
+-	}{
+-		{
+-			In:  "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36",
+-			Out: "Browser",
+-		},
+-		{
+-			In:  "kubectl/v1.2.4",
+-			Out: "kubectl/v1.2.4",
+-		},
+-		{
+-			In:  `C:\Users\Kubernetes\kubectl.exe/v1.5.4`,
+-			Out: "kubectl.exe/v1.5.4",
+-		},
+-		{
+-			In:  `C:\Program Files\kubectl.exe/v1.5.4`,
+-			Out: "kubectl.exe/v1.5.4",
+-		},
+-		{
+-			// This malicious input courtesy of enisoc.
+-			In:  string(panicBuf) + "kubectl.exe",
+-			Out: "kubectl.exe",
+-		},
+-	} {
+-		if cleanUserAgent(tc.In) != tc.Out {
+-			t.Errorf("Failed to clean User-Agent: %s", tc.In)
+-		}
+-	}
+-}
+-- 
+2.17.0
+
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@ -12,6 +12,8 @@ SRC_URI = "git://github.com/kubernetes/kubernetes.git;branch=release-1.16;name=k
           file://0001-hack-lib-golang.sh-use-CC-from-environment.patch \
           file://0001-cross-don-t-build-tests-by-default.patch \
           file://0001-fix-compiling-failure-execvp-bin-bash-Argument-list-.patch \
+           file://CVE-2020-8551.patch \
+           file://CVE-2020-8552.patch \
          "

 DEPENDS += "rsync-native \