New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1996689: Tighten up RestrictedEndpointsAdmission #899
Bug 1996689: Tighten up RestrictedEndpointsAdmission #899
Conversation
@danwinship: This pull request references Bugzilla bug 1996689, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@danwinship: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
@danwinship: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
3cd80ee
to
5034fde
Compare
@danwinship: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
Outdated
Show resolved
Hide resolved
5034fde
to
bf58b20
Compare
@danwinship: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
bf58b20
to
60268c4
Compare
@danwinship: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
60268c4
to
28bdde9
Compare
@danwinship: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
/hold cancel
|
|
||
func (r *restrictedEndpointsAdmission) sliceFindRestrictedIP(slice *discovery.EndpointSlice, restricted []*net.IPNet) error { | ||
for _, endpoint := range slice.Endpoints { | ||
for _, addr := range endpoint.Addresses { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do you want to check the EndpointConditions
to see if the endpoint is Ready?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why? If it has restricted IPs, then it's restricted, regardless of conditions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
because the endpoints code only checks the ready ones?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it was curiosity only, the endpoints code only parses for _, addr := range subset.Addresses
, it doesn't parse subsets.NotReadyAddresses
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hm... that seems more like a bug in the Endpoints version 😯
(it doesn't currently matter since we don't point any services to the NotReadyAddresses, but someone might use them for something in the future.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, as I've said, it was mostly curiosity,
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
as commented elsewhere, adding NotReadyAddresses validation is a technically a breaking change. If we want that, then we need a good reason, e.g. a CVE.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(it doesn't currently matter since we don't point any services to the NotReadyAddresses, but someone might use them for something in the future.)
I've talked with Stefan and we shouldn't add it because if someone have created it before, after upgrade the endpoint will become invalid and as you say it seems only cosmetical, sorry for the noise #899 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
commented in the other thread; it's part of CVE-2021-25740; upstream solved that CVE by blocking all Endpoints modifications, we are blocking it with a more surgical blocking. But previously we had missed part of it
28bdde9
to
7e00427
Compare
@danwinship: the contents of this pull request could not be automatically validated. The following commits could not be validated and must be approved by a top-level approver:
|
/retest |
/retest-required |
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
Outdated
Show resolved
Hide resolved
@danwinship: This pull request references Bugzilla bug 1996689, which is valid. 3 validation(s) were run on this bug
Requesting review from QA contact: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lgtm |
/test e2e-gcp-upgrade |
1 similar comment
/test e2e-gcp-upgrade |
/retest |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhat, aojea, danwinship, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
13 similar comments
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
/retest-required Please review the full test history for this PR and help us cut down flakes. |
@danwinship: Some pull requests linked via external trackers have merged: The following pull requests linked via external trackers have not merged:
These pull request must merge or be unlinked from the Bugzilla bug in order for it to move to the next state. Once unlinked, request a bug refresh with Bugzilla bug 1996689 has not been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
We prevent users from creating Endpoints that point into the cluster or service networks (or to the cloud metadata server, or to the MCS), but we don't currently prevent the creation of EndpointSlices in the same way.
[EDIT] OK, so actually project admins don't normally have EndpointSlice edit permission anyway. So this part isn't needed to prevent the CVE. However, it does make it so that if the admin chooses to give someone EndpointSlice edit permission, then it will work like the existing Endpoints edit permission; they can make any modification except adding restricted endpoints. The new e2e test checks this.
Also, we were failing to block updates to
NotReadyEndpoints
in Endpoints, which could potentially be used for a CVE-2021-25740-like attack in the future.