Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorize PSP usage for pods without service accounts #43489

Merged
merged 1 commit into from
Mar 22, 2017
Merged

Authorize PSP usage for pods without service accounts #43489

merged 1 commit into from
Mar 22, 2017

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Mar 22, 2017
edited

Fixes #43459

PodSecurityPolicy authorization is correctly enforced by the PodSecurityPolicy admission plugin.

@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: liggitt
We suggest the following additional approver: @derekwaynecarr

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 22, 2017
@k8s-github-robot k8s-github-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Mar 22, 2017
@k8s-reviewable
Copy link

This change is Reviewable

@liggitt liggitt added this to the v1.6 milestone Mar 22, 2017
@liggitt liggitt assigned pweil- and erictune and unassigned derekwaynecarr Mar 22, 2017
@liggitt liggitt added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. and removed release-note-label-needed labels Mar 22, 2017
This was referenced Mar 22, 2017
Closed
Merged
@ethernetdan
Copy link
Contributor

@k8s-bot non-cri e2e test this

@liggitt
Copy link
Member Author

liggitt commented Mar 22, 2017
edited

reviewed by @pweil- and @erictune externally during the security release process, tagging

@liggitt liggitt added approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Mar 22, 2017
@liggitt
Copy link
Member Author

liggitt commented Mar 22, 2017

@k8s-bot unit test this

@liggitt
Copy link
Member Author

liggitt commented Mar 22, 2017

flaked on #41892
@k8s-bot unit test this

@k8s-github-robot
Copy link

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 43492, 43489)

@k8s-github-robot k8s-github-robot merged commit 6f9074f into kubernetes:master Mar 22, 2017
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Mar 22, 2017
edited

@liggitt: The following test(s) failed:

Test name Commit Details Rerun command
Jenkins kops AWS e2e dd75618 link @k8s-bot kops aws e2e test this

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

pweil-
pweil- reviewed Mar 22, 2017
View reviewed changes
Copy link
Contributor

@pweil- pweil- left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

k8s-github-robot pushed a commit that referenced this pull request Mar 22, 2017
Merge pull request #43491 from liggitt/automated-cherry-pick-of-#4348…
52f6d3f 
…9-upstream-release-1.5

Automatic merge from submit-queue

Automated cherry pick of #43489

Cherry pick of #43489 on release-1.5.

#43489: Authorize PSP usage for pods without service accounts

Picks fix made in v1.5.5 into the release-1.5 branch. No release note, since the change was already present in v1.5.5.
@liggitt liggitt deleted the 20170302-psp-authz branch March 22, 2017 20:11
@b0b0haha
Copy link

Could you please give a example show how an attacker can create a pod without serviceaccount?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pweil- pweil- pweil- left review comments

Assignees

@pweil- pweil-

@erictune erictune

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/security cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.6
Development

Successfully merging this pull request may close these issues.

CVE-2017-1000056: PodSecurityPolicy admission plugin authorizes incorrectly
9 participants
@liggitt @k8s-github-robot @k8s-reviewable @ethernetdan @k8s-ci-robot @b0b0haha @pweil- @derekwaynecarr @erictune