-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User without access to secrets can create pod, mounting secret #76954
Comments
@jerer: There are no sig labels on this issue. Please add a sig label by either:
Note: Method 1 will trigger an email to the group. See the group list. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Granting a user permission to create pods allows them to run processes that make use of resources in the pod's namespace, including secrets and configmaps. Allowing them to create pods with arbitrary images, or invoking arbitrary commands, or to exec/attach into those pods can allow the user to access data they could not access directly via the API. The ACL boundary for the content of pod specs is the namespace level (a pod spec can refer to a service account, secret, or configmap in its namespace) If you want to add additional policies on top of that, you can do so using webhook admission and external policy rules. /close |
@liggitt: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What happened:
I've created Role without access to Kubernetes secrets, but with ability to create pods, exec commands in pods. User with that role can mount any secret in namespace into pod and access it through exec commands in pod, so effectively can read all secrets.
What you expected to happen:
Pod creation (that mount secrets) should fail.
How to reproduce it (as minimally and precisely as possible):
Create secret:
Create Role, RoleBinding:
Create Pod as u100 user (kubectl --as=u100):
Verify that u100 user can get secret:
Anything else we need to know?:
Environment:
kubectl version
):Baremetal
Kubeadm
The text was updated successfully, but these errors were encountered: