Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect Service Accounts Against Deletion/Remedy Deletions #55

Closed
gardener-robot-ci-1 opened this issue Jan 13, 2018 · 4 comments
Closed

Protect Service Accounts Against Deletion/Remedy Deletions #55

gardener-robot-ci-1 opened this issue Jan 13, 2018 · 4 comments
Labels
component/gardener Gardener kind/bug Bug lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.

Comments

@gardener-robot-ci-1
Copy link
Contributor

gardener-robot-ci-1 commented Jan 13, 2018
edited by vlerenc

By @vlerenc: Customers may break their own clusters by deleting service accounts, which were created by the API server. Without an API server restart, these service accounts won't come back, so we either need to monitor them and either recreate them (without duplicating what the API server is doing) or restart the API server when we see somebody tampered with them.
@gardener-robot-ci-1 gardener-robot-ci-1 added the kind/enhancement Enhancement, improvement, extension label Jan 13, 2018
@vlerenc vlerenc added kind/bug Bug and removed kind/enhancement Enhancement, improvement, extension labels Feb 11, 2018
@mvladev
Copy link

mvladev commented Mar 11, 2018

@vlerenc which ServiceAccounts are you referring to? Every service account created by the kube-addon-manager will be recreated automatically.

@vlerenc
Copy link
Member

vlerenc commented Mar 12, 2018

The ones I wrote above: the ones created by the API server implicitly (not by the addon-manager).

@vlerenc vlerenc added the component/gardener Gardener label Jun 27, 2018
@gardener-robot-ci-1 gardener-robot-ci-1 added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 5, 2018
@gardener-robot-ci-1 gardener-robot-ci-1 added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Dec 5, 2018
@gardener-robot-ci-1 gardener-robot-ci-1 added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 4, 2019
@gardener-robot-ci-1 gardener-robot-ci-1 added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Apr 6, 2019
@gardener-robot-ci-1 gardener-robot-ci-1 added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 6, 2019
@gardener-robot-ci-1 gardener-robot-ci-1 added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Aug 6, 2019
vpnachev pushed a commit to vpnachev/gardener that referenced this issue Aug 16, 2019
@hardikdr
Merge pull request gardener#55 from prashanth26/safety
855df67 
Added OpenStack support for safety controller
@gardener-robot-ci-2 gardener-robot-ci-2 added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 6, 2019
@ghost ghost added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Dec 6, 2019
@ghost ghost added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 5, 2020
@ghost ghost added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 6, 2020
@rfranzke
Copy link
Member

rfranzke commented Apr 6, 2020

We have seen a case where a user deleted the standard/default APIService resources. This is related to this issue (cc @ialidzhikov) - there are resources managed by the Kubernetes components that are worth to be protected.
Though, to me it's not clear how we could implement this if we don't want to "hard-code" the resources that shall be protected.

@gardener-robot gardener-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 6, 2020
@rfranzke
Copy link
Member

rfranzke commented Apr 8, 2021

/close as there are a thousand ways to break the cluster and we cannot provide remediation for each of them. Given that the issue is open since a very long time with no attention and no activity, it's unlikely that it'll be picked up anytime soon.

@rfranzke rfranzke mentioned this issue Nov 10, 2021
Closed
18 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/gardener Gardener kind/bug Bug lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@vlerenc @rfranzke @mvladev @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot