Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

apiextensions: check request scope against CRD scope correctly #80750

Merged
merged 2 commits into from Jul 31, 2019

Conversation

@sttts
Copy link
Contributor

commented Jul 30, 2019

Before this PR we did not always check that the request scope was matching the CRD. This adds consequent checks, and exhaustive tests.

Fix CVE-2019-11247: API server allows access to custom resources via wrong scope
@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Jul 30, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@deads2k

This comment has been minimized.

Copy link
Contributor

commented Jul 30, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Jul 30, 2019

@yue9944882

This comment has been minimized.

Copy link
Member

commented Jul 30, 2019

i tried POST a pod against a non-namespace path /api/v1/pods locally, and it's returning 405 instead of 404. i presume we should keep that behavior consistent between built-ins and CRDs

$ curl --cert /tmp/crt --key /tmp/key -XPOST -d@/tmp/pod -H 'Content-Type: application/json' -k https://127.0.0.1:6443/api/v1/pods
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "the server does not allow this method on the requested resource",
  "reason": "MethodNotAllowed",
  "details": {

  },
  "code": 405
}
@fejta-bot

This comment has been minimized.

Copy link

commented Jul 30, 2019

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@liggitt

This comment has been minimized.

Copy link
Member

commented Jul 31, 2019

customresource_handler.go:200:88: "accross" is a misspelling of "across"

@liggitt

This comment has been minimized.

Copy link
Member

commented Jul 31, 2019

i tried POST a pod against a non-namespace path /api/v1/pods locally, and it's returning 405 instead of 404. i presume we should keep that behavior consistent between built-ins and CRDs

we can consider that in a follow up

@fejta-bot

This comment has been minimized.

Copy link

commented Jul 31, 2019

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

2 similar comments
@fejta-bot

This comment has been minimized.

Copy link

commented Jul 31, 2019

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@fejta-bot

This comment has been minimized.

Copy link

commented Jul 31, 2019

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@sttts sttts force-pushed the sttts:sttts-crd-scoping branch from a5fc861 to caa7a76 Jul 31, 2019

@k8s-ci-robot k8s-ci-robot removed the lgtm label Jul 31, 2019

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Jul 31, 2019

New changes are detected. LGTM label has been removed.

@sttts

This comment has been minimized.

Copy link
Contributor Author

commented Jul 31, 2019

fixed typo

@sttts sttts added the lgtm label Jul 31, 2019

@sttts sttts force-pushed the sttts:sttts-crd-scoping branch from caa7a76 to df75700 Jul 31, 2019

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Jul 31, 2019

New changes are detected. LGTM label has been removed.

@k8s-ci-robot k8s-ci-robot removed the lgtm label Jul 31, 2019

@sttts sttts added the lgtm label Jul 31, 2019

@k8s-ci-robot k8s-ci-robot merged commit 2abc859 into kubernetes:master Jul 31, 2019

23 checks passed

cla/linuxfoundation sttts authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-iscsi Skipped.
pull-kubernetes-e2e-gce-iscsi-serial Skipped.
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-node-e2e-containerd Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details

@k8s-ci-robot k8s-ci-robot added this to the v1.16 milestone Jul 31, 2019

@jennybuckley

This comment has been minimized.

Copy link
Contributor

commented Aug 1, 2019

/cc @roycaihw

@k8s-ci-robot k8s-ci-robot requested a review from roycaihw Aug 1, 2019

@roycaihw

This comment has been minimized.

Copy link
Member

commented Aug 1, 2019

LGTM

@joelsmith

This comment has been minimized.

Copy link
Contributor

commented Aug 5, 2019

We need to add the following release note:

Fix CVE-2019-11247: API server allows access to custom resources via wrong scope
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.