forked from hswaw/hscloud
SECURITY: cluster: limit api objects modifiable by namespace admins
This previous allowed all namespace admins (ie. personal-$user namespace users) to create any sort of obejct they wanted within that namespace. This could've been exploited to allow creation of a RoleBinding that would then allow to bind a serviceaccount to the insecure podsecuritypolicy, thereby allowing escalation to root on nodes. As far as I've checked, this hasn't been exploited, and the access to the k8s cluster has so far also been limited to trusted users. This has been deployed to production. Change-Id: Icf8747d765ccfa9fed843ec9e7b0b957ff27d96emaster
parent
e3432ee775
commit
a168c50132
|
@ -108,10 +108,15 @@ local Cluster(short, realm) = {
|
|||
crFullInNamespace: kube.ClusterRole("system:admin-namespace") {
|
||||
rules: [
|
||||
{
|
||||
apiGroups: ["*"],
|
||||
apiGroups: ["", "extensions", "apps"],
|
||||
resources: ["*"],
|
||||
verbs: ["*"],
|
||||
},
|
||||
{
|
||||
apiGroups: ["batch"],
|
||||
resources: ["jobs", "cronjobs"],
|
||||
verbs: ["*"],
|
||||
},
|
||||
],
|
||||
},
|
||||
// This ClusterRoleBindings allows root access to cluster admins.
|
||||
|
|
Loading…
Reference in New Issue