add DenyEscalatingExec admission controller #1961
add DenyEscalatingExec admission controller #1961
Conversation
@slack @brendanburns @seanknox Is there any reason we want to not include |
Nope, makes sense to me. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Great addition. Thanks @pidah. |
@jackfrancis this is a breaking compatibility change, now I am not able to run my CI system. How to solve ti wihtout deploying a new cluster? |
@jalberto Current versions of acs-engine allow for user-configurable https://github.com/Azure/acs-engine/blob/master/docs/clusterdefinition.md#apiserverconfig E.g., in your api model:
|
@jackfrancis yes, I found it but:
|
It is documented in the above link. To manually change on a cluster master node:
|
is not documented as a breaking change. When a breaking change is introduced it should be notified properly and an upgrade path should be provided. |
I agree with you. Again, thanks for your patience/stamina. |
What this PR does / why we need it:
Currently there are a few pods running privileged containers like kube-proxy and calico-node. If these containers are compromised, an attacker can easily compromise the underlying host. Given that these particular pods require privileged access, this PR adds the DenyEscalatingExec admission controller flag which prevents attaching or exec'ing into privileged pods running in the cluster. More info here: https://kubernetes.io/docs/admin/admission-controllers/#denyescalatingexec
Before this flag is applied you have the following:
After the flag is applied an exec operation is denied: