Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove Endpoints write access from aggregated edit role #103704

Merged
merged 1 commit into from Jul 20, 2021

Conversation

robscott
Copy link
Member

@robscott robscott commented Jul 14, 2021

What type of PR is this?

/kind bug

What this PR does / why we need it:

This is a partial mitigation to #103675.

Does this PR introduce a user-facing change?

The `system:aggregate-to-edit` role no longer includes write access to the Endpoints API. For new Kubernetes 1.22 clusters, the `edit` and `admin` roles will no longer include that access in newly created Kubernetes 1.22 clusters. This will have no affect on existing clusters upgrading to Kubernetes 1.22. To retain write access to Endpoints in the aggregated `edit` and `admin` roles for newly created 1.22 clusters, refer to https://github.com/kubernetes/website/pull/29025.

/sig network
/sig auth
/priority important-soon
/triage accepted

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. sig/network Categorizes an issue or PR as relevant to SIG Network. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. sig/auth Categorizes an issue or PR as relevant to SIG Auth. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jul 14, 2021
@robscott
Copy link
Member Author

robscott commented Jul 14, 2021

/assign @dcbw @caseydavenport @thockin @liggitt

@robscott
Copy link
Member Author

robscott commented Jul 14, 2021

Although we discussed this potential change prior to announcing #103675, we wanted to try to get a broader consensus before committing to this change. Unfortunately the corresponding change to EndpointSlices is not sufficient since the EndpointSlice mirroring controller translates Endpoints to EndpointSlices. That means that we need to restrict write access to both to make a meaningful difference.

Since write access to Endpoints and EndpointSlices results in a form of cross-namespace access, it seems inappropriate to include them in the aggregate-to-edit role. Although this represents a breaking change, it would not be the first time we've removed capabilities from the aggregated roles.

@thockin
Copy link
Member

thockin commented Jul 15, 2021

/hold

For discussion

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 15, 2021
@liggitt
Copy link
Member

liggitt commented Jul 15, 2021

/retest

The release note needs to:

  • explain the impact to upgraded existing clusters (none)
  • provide super-clear guidance for a cluster admin that needs to continue granting this access via the edit/admin roles and doesn't care about the exposure

Ideally, we would provide an example clusterrole they could create that would get aggregated into the edit/admin roles if they wanted to keep the status quo and the CVE did not apply to their environment (not multi-tenant, not using network policy, etc):

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kubernetes.io/description: |-
      Add endpoints and endpointslices write permissions to the edit and admin roles.
      These were removed by default in 1.22 because of CVE-2021-25740. See http://issue.k8s.io/103675.
      This can allow endpoint writers to direct LoadBalancer or Ingress implementations 
      to expose backend IPs that would not otherwise be accessible, and can circumvent 
      network policies or security controls intended to prevent/isolate access to those backends.
  labels:
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: custom:aggregate-to-edit:endpoints
rules:
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]

@enj enj added this to Needs Triage in SIG Auth Jul 15, 2021
@thockin
Copy link
Member

thockin commented Jul 16, 2021

/approve

I will be AFK for a few days and wanted to be clear on my feelings on it.

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jul 16, 2021

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: robscott, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 16, 2021
@caseydavenport
Copy link
Member

caseydavenport commented Jul 19, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 19, 2021
@liggitt
Copy link
Member

liggitt commented Jul 19, 2021

/retest

@liggitt liggitt added this to the v1.22 milestone Jul 19, 2021
@robscott
Copy link
Member Author

robscott commented Jul 19, 2021

Unless anyone has any hesitation here, I'm planning to remove the hold on this PR in a couple hours.

@robscott
Copy link
Member Author

robscott commented Jul 20, 2021

Created follow up docs PR, updated release note per @liggitt's guidance, and have not heard any hesitancy about merging this in. Given that, I'm going to remove the hold on this.

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 20, 2021
@robscott
Copy link
Member Author

robscott commented Jul 20, 2021

/retest

@k8s-ci-robot k8s-ci-robot merged commit e847b84 into kubernetes:master Jul 20, 2021
14 checks passed
SIG Auth automation moved this from Needs Triage to Closed / Done Jul 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/network Categorizes an issue or PR as relevant to SIG Network. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Closed / Done
Development

Successfully merging this pull request may close these issues.

None yet

6 participants