Allow limiting adding/removing finalizers #59591
Comments
liggitt
added
area/security
area/apiserver
sig/api-machinery
|
@ihmccreery |
|
/cc |
|
+1 I've noticed this deficiency as well. More specifics: The This makes fine-grained authorization impossible, which is especially important for namespace-constrained users. I want to write an authorization rules like: "only service account Y can modify finalizer X (on all namespaces)" (it might also be nice to specify "user Z can modify all finalizers on their namespace except X or W" but that seems like a nice-to-have for which I'm not sure there are many use cases). Additionally to the multi-tenancy concerns above, bugs are just easy to write and hard to protect against right now. If I write a namespace controller that accidentally deletes all finalizers, instead of just the one I intend to modify, that's a large blast radius. My first pass at this would be to define finalizers as first-class subresources on a namespace? |
|
I think we could do this in a backward-compatible way, even, by making the current |
liggitt
changed the title
|
/cc @jennybuckley |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
mikedanese
removed
the
lifecycle/stale
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
liggitt
added
lifecycle/frozen
|
I’d like to escalate this. Abuse of finalizer deletion is widespread, and people are doing terrible things because we aren’t adequately communicating the risks of these. In particular the PVC finalizer abuse has reached new heights - on that one there are other things to investigate (like whether the controller is giving feedback to users appropriately). I’d like to (as part of this) make sure finalizer owners are living up to their responsibility to explain to humans why they aren’t allowing a deletion. |
|
I’d be happy with an admission control check. Also we should note an explicit difference between namespace deletion and other types of finalizers. |
|
We've been thinking about this, too. Besides finalizers, we also want to take care of annotations and init containers(where those annotations and init containers are added by third-party systems). Basically, we are trying to setup new RBAC clusterroles for finalizers, and checking authorization during admission(just like PodSecurityPolicy checks the |
|
Does this require a KEP? I am interested to work on this. |
|
If you want to change core kubernetes for this, then yes, it needs a KEP. If you want to write a general admission controller that solves the problem, I don't think you need a KEP. I'm not 100% sure off the top of my head that we pass enough information about the user to the webhook admission controllers; so you may end up asking for more features there. |
|
I think a general admission + RBAC should suffice: Briefly, we can define a new verb apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: orphan-finalizer
rules:
- apiGroups:
- "*"
resources:
- "*"
resourceNames:
- "orphan"
verbs:
- "finalize"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: orphan-finalizer
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: orphan-finalizer
subjects:
- kind: ServiceAccount
name: generic-garbage-collector
namespace: kube-systemDuring admission time, we get the user info, and figure out:
We send a call to authorizer to check whether that user can do the finalization of the finalizer. Can I get some feedback here? |
tallclair
added
the
priority/important-longterm
/kind feature
@kubernetes/sig-auth-feature-requests
@kubernetes/sig-api-machinery-feature-requests
What happened:
As a namespace-constrained user, I am able to manually add/remove finalizers added by system components:
What you expected to happen:
As a cluster admin, I expected to be able to control what finalizers can be added/removed by end users, so they can be relied on by system components and controllers for gating deletion
The text was updated successfully, but these errors were encountered: