New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
deprecate DenyExecOnPrivileged/DenyEscalatingExec #12152
Conversation
@@ -205,7 +205,15 @@ Reference [here](http://kubernetes.io/docs/api-reference/v1/definitions/#_v1_pod | |||
|
|||
|
|||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wasn't sure how revisionist we get about blog post updates, but this advice isn't current
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ResourceQuota section is incorrect, also
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe just mark the blog post as being out of date and containing errors?
Deploy preview for kubernetes-io-master-staging ready! Built with commit 2b3c150 https://deploy-preview-12152--kubernetes-io-master-staging.netlify.com |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The admission-control update looks good to me.
/lgtm
@@ -205,7 +205,15 @@ Reference [here](http://kubernetes.io/docs/api-reference/v1/definitions/#_v1_pod | |||
|
|||
|
|||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ResourceQuota section is incorrect, also
@@ -205,7 +205,15 @@ Reference [here](http://kubernetes.io/docs/api-reference/v1/definitions/#_v1_pod | |||
|
|||
|
|||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe just mark the blog post as being out of date and containing errors?
running privileged containers. | ||
|
||
If you do not want all users with the ability to create a pod to have root-level access to nodes, | ||
you should consider using a policy-based admission plugin to limit the types of pods that can be created. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you should consider using a policy-based admission plugin to limit the types of pods that can be created. | |
you should consider using a policy-based admission plugin to limit the types of Pods that can be created. |
access to the nodes they run on, including mounting arbitrary host paths, running as root, and | ||
running privileged containers. | ||
|
||
If you do not want all users with the ability to create a pod to have root-level access to nodes, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you do not want all users with the ability to create a pod to have root-level access to nodes, | |
If you do not want all users with the ability to create a Pod to have root-level access to nodes, |
@@ -205,7 +205,15 @@ Reference [here](http://kubernetes.io/docs/api-reference/v1/definitions/#_v1_pod | |||
|
|||
|
|||
|
|||
In case you are running containers with elevated privileges (--privileged) you should consider using the “DenyEscalatingExec” admission control. This control denies exec and attach commands to pods that run with escalated privileges that allow host access. This includes pods that run as privileged, have access to the host IPC namespace, and have access to the host PID namespace. For more details on admission controls, see the Kubernetes [documentation](http://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/). | |||
By default, users with the ability to create pods can make use of features that allow root-level | |||
access to the nodes they run on, including mounting arbitrary host paths, running as root, and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
access to the nodes they run on, including mounting arbitrary host paths, running as root, and | |
access to the Nodes they run on, including mounting arbitrary host paths, running as the `root` user, and |
@@ -205,7 +205,15 @@ Reference [here](http://kubernetes.io/docs/api-reference/v1/definitions/#_v1_pod | |||
|
|||
|
|||
|
|||
In case you are running containers with elevated privileges (--privileged) you should consider using the “DenyEscalatingExec” admission control. This control denies exec and attach commands to pods that run with escalated privileges that allow host access. This includes pods that run as privileged, have access to the host IPC namespace, and have access to the host PID namespace. For more details on admission controls, see the Kubernetes [documentation](http://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/). | |||
By default, users with the ability to create pods can make use of features that allow root-level |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By default, users with the ability to create pods can make use of features that allow root-level | |
By default, users with the ability to create Pods can make use of features that allow root-level |
content/en/docs/reference/access-authn-authz/admission-controllers.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/access-authn-authz/admission-controllers.md
Outdated
Show resolved
Hide resolved
@liggitt Small nits, also great to see you again! Let me know if you (dis)agree. I made them as suggestions, so you should just be able to accept them if they work. |
/hold cancel |
@zparnold made the suggested changes inline, and reverted the blog post content changes in favor of a note at the top pointing to latest cluster hardening guides. |
@zparnold Please take a look and state your approval. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: zparnold The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Update guidance for admission plugins
/hold
for kubernetes/kubernetes#72737