Remove Endpoints write access from aggregated edit role #103704
Although we discussed this potential change prior to announcing #103675, we wanted to try to get a broader consensus before committing to this change. Unfortunately the corresponding change to EndpointSlices is not sufficient since the EndpointSlice mirroring controller translates Endpoints to EndpointSlices. That means that we need to restrict write access to both to make a meaningful difference.
Since write access to Endpoints and EndpointSlices results in a form of cross-namespace access, it seems inappropriate to include them in the
The release note needs to:
Ideally, we would provide an example clusterrole they could create that would get aggregated into the edit/admin roles if they wanted to keep the status quo and the CVE did not apply to their environment (not multi-tenant, not using network policy, etc):
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: kubernetes.io/description: |- Add endpoints and endpointslices write permissions to the edit and admin roles. These were removed by default in 1.22 because of CVE-2021-25740. See http://issue.k8s.io/103675. This can allow endpoint writers to direct LoadBalancer or Ingress implementations to expose backend IPs that would not otherwise be accessible, and can circumvent network policies or security controls intended to prevent/isolate access to those backends. labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" name: custom:aggregate-to-edit:endpoints rules: - apiGroups: [""] resources: ["endpoints"] verbs: ["create", "delete", "deletecollection", "patch", "update"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["create", "delete", "deletecollection", "patch", "update"]
[APPROVALNOTIFIER] This PR is APPROVED
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing