-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
prevent disallowed secret refs from leaking via the downward API #22865
Conversation
Labelling this PR as size/M |
This PR has added the |
Added 1.2 milestone |
GCE e2e build/test passed for commit 9d22f8b. |
LGTM |
1 similar comment
LGTM |
LGTM |
Manually merging @k8s-oncall |
prevent disallowed secret refs from leaking via the downward API
prevent disallowed secret refs from leaking via the downward API
This PR is included in #22874 which is slated to be included in the release-1.2 branch. |
I am using this PR as a test for the cherry-pick tracking work. Please ignore any/all spam and or seemingly random label updates. Sorry guys... |
PR #22865 is found in the "release-1.2" branch. Removing the "cherrypick-candidate" label |
Yes, it was in #22874 |
Commit 30d6098 found in the "release-1.2" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this s an error find help to get your PR picked. |
ok, sorry, I'm finished spamming this PR :) We now automatically detect things are merged into the release branch. |
prevent disallowed secret refs from leaking via the downward API
prevent disallowed secret refs from leaking via the downward API
ServiceAccountAdmission has an option to
LimitSecretReferences
, but the env varValueFrom
that allows a secret ref doesn't get restricted. This plugs the hole.@kubernetes/kube-iam @kubernetes/rh-cluster-infra Security problem for 1.2.