SECURITY: cluster: limit api objects modifiable by namespace admins

This previous allowed all namespace admins (ie. personal-$user namespace users) to create any sort of obejct they wanted within that namespace. This could've been exploited to allow creation of a RoleBinding that would then allow to bind a serviceaccount to the insecure podsecuritypolicy, thereby allowing escalation to root on nodes. As far as I've checked, this hasn't been exploited, and the access to the k8s cluster has so far also been limited to trusted users. This has been deployed to production. Change-Id: Icf8747d765ccfa9fed843ec9e7b0b957ff27d96e
2020-05-11 20:49:31 +02:00 · 2020-05-11 20:49:31 +02:00 · a168c50132
parent e3432ee775
commit a168c50132
1 changed files with 6 additions and 1 deletions
--- a/cluster/kube/cluster.jsonnet
+++ b/cluster/kube/cluster.jsonnet
@ -108,10 +108,15 @@ local Cluster(short, realm) = {
    crFullInNamespace: kube.ClusterRole("system:admin-namespace") {
        rules: [
            {
-                apiGroups: ["*"],
+                apiGroups: ["", "extensions", "apps"],
                resources: ["*"],
                verbs: ["*"],
            },
+            {
+                apiGroups: ["batch"],
+                resources: ["jobs", "cronjobs"],
+                verbs: ["*"],
+            },
        ],
    },
    // This ClusterRoleBindings allows root access to cluster admins.