Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

prevent disallowed secret refs from leaking via the downward API #22865

Merged
merged 1 commit into from
Mar 11, 2016
Merged

prevent disallowed secret refs from leaking via the downward API #22865

merged 1 commit into from
Mar 11, 2016

Conversation

deads2k
Copy link
Contributor

@deads2k deads2k commented Mar 11, 2016

ServiceAccountAdmission has an option to LimitSecretReferences, but the env var ValueFrom that allows a secret ref doesn't get restricted. This plugs the hole.

@kubernetes/kube-iam @kubernetes/rh-cluster-infra Security problem for 1.2.

@deads2k deads2k added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. area/security cherrypick-candidate labels Mar 11, 2016
@deads2k deads2k mentioned this pull request Mar 11, 2016
Closed
85 tasks
@k8s-github-robot
Copy link

Labelling this PR as size/M

@k8s-github-robot k8s-github-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Mar 11, 2016
@eparis
Copy link
Contributor

eparis commented Mar 11, 2016

This PR has added the cherrypick-candidate label but did not set a milestone. This is an invalid state and will not be considered for cherrypick-ing to any release branch. The cherrypick-candidate label will be automatically removed from such PRs in the future.

@ncdc ncdc added this to the v1.2 milestone Mar 11, 2016
@ncdc
Copy link
Member

ncdc commented Mar 11, 2016

Added 1.2 milestone

@k8s-bot
Copy link

k8s-bot commented Mar 11, 2016

GCE e2e build/test passed for commit 9d22f8b.

@ncdc
Copy link
Member

ncdc commented Mar 11, 2016

LGTM

1 similar comment
@derekwaynecarr
Copy link
Member

LGTM

@derekwaynecarr derekwaynecarr added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 11, 2016
@pmorie
Copy link
Member

pmorie commented Mar 11, 2016

LGTM

@bgrant0607
Copy link
Member

Manually merging @k8s-oncall

bgrant0607 added a commit that referenced this pull request Mar 11, 2016
@bgrant0607
Merge pull request #22865 from deads2k/fix-downward-api-leak
58ba9eb 
prevent disallowed secret refs from leaking via the downward API
@bgrant0607 bgrant0607 merged commit 58ba9eb into kubernetes:master Mar 11, 2016
@bgrant0607 bgrant0607 added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Mar 11, 2016
eparis pushed a commit to eparis/kubernetes that referenced this pull request Mar 11, 2016
@bgrant0607 @eparis
Merge pull request kubernetes#22865 from deads2k/fix-downward-api-leak
30d6098 
prevent disallowed secret refs from leaking via the downward API
@eparis eparis mentioned this pull request Mar 11, 2016
Merged
@eparis
Copy link
Contributor

eparis commented Mar 11, 2016

This PR is included in #22874 which is slated to be included in the release-1.2 branch.
Please verify that the cherry-pick in that PR looks correct.

@eparis eparis added cherrypick-candidate cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. and removed cherrypick-candidate cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. labels Mar 11, 2016
@eparis
Copy link
Contributor

eparis commented Mar 14, 2016

I am using this PR as a test for the cherry-pick tracking work. Please ignore any/all spam and or seemingly random label updates. Sorry guys...

@eparis eparis removed this from the v1.2 milestone Mar 14, 2016
@eparis eparis added this to the v1.2 milestone Mar 14, 2016
@k8s-cherrypick-bot
Copy link

PR #22865 is found in the "release-1.2" branch. Removing the "cherrypick-candidate" label

@bgrant0607 bgrant0607 added cherrypick-candidate and removed cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. labels Mar 14, 2016
@bgrant0607
Copy link
Member

@eparis. This PR wasn't in #22945. Was it in a previous cherrypick batch?

@bgrant0607
Copy link
Member

Yes, it was in #22874

@k8s-cherrypick-bot
Copy link

Commit 30d6098 found in the "release-1.2" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this s an error find help to get your PR picked.

@eparis
Copy link
Contributor

eparis commented Mar 15, 2016

ok, sorry, I'm finished spamming this PR :) We now automatically detect things are merged into the release branch.

@deads2k deads2k mentioned this pull request Jun 7, 2016
Merged
@deads2k deads2k deleted the fix-downward-api-leak branch September 6, 2016 17:22
shyamjvs pushed a commit to shyamjvs/kubernetes that referenced this pull request Dec 1, 2016
@bgrant0607 @eparis
Merge pull request kubernetes#22865 from deads2k/fix-downward-api-leak
a1a34b8 
prevent disallowed secret refs from leaking via the downward API
shouhong pushed a commit to shouhong/kubernetes that referenced this pull request Feb 14, 2017
@bgrant0607 @eparis
Merge pull request kubernetes#22865 from deads2k/fix-downward-api-leak
b83f8f9 
prevent disallowed secret refs from leaking via the downward API
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@derekwaynecarr derekwaynecarr

Labels
area/security lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.2
Development

Successfully merging this pull request may close these issues.

None yet