From a98ea04c916cbaf57bac199d5b9f2c417afe7878 Mon Sep 17 00:00:00 2001 From: Adam Kaplan Date: Thu, 19 Sep 2024 12:35:58 -0400 Subject: [PATCH] Correcting Instructions to Disable Build Strategy The documentation for disabling builds by strategy was at one point updated to include inaccurate instructions [1]. When followed end to end, these instructions granted the `admin` and `edit` user roles permission to run builds with the `Source` and `Custom` build strategies. The latter build strategy is particularly dangerous, as it grants users permission to execute arbitrary commands in a privileged container. This change restores these instructions to the original intent of verifying that the `admin` and `edit` user roles do not have permission to create Docker strategy builds. It also simplifies the instruction to add the `autoupdate=false` RBAC annotation. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1923869 Signed-off-by: Adam Kaplan --- ...lds-disabling-build-strategy-globally.adoc | 63 ++----------------- 1 file changed, 4 insertions(+), 59 deletions(-) diff --git a/modules/builds-disabling-build-strategy-globally.adoc b/modules/builds-disabling-build-strategy-globally.adoc index 6480bc0570a1..49f212da758e 100644 --- a/modules/builds-disabling-build-strategy-globally.adoc +++ b/modules/builds-disabling-build-strategy-globally.adoc @@ -15,32 +15,8 @@ To prevent access to a particular build strategy globally, log in as a user with + [source,terminal] ---- -$ oc edit clusterrolebinding system:build-strategy-docker-binding +$ oc annotate clusterrolebinding.rbac system:build-strategy-docker-binding 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite ---- -+ -.Example output -[source,yaml] ----- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - rbac.authorization.kubernetes.io/autoupdate: "false" <1> - creationTimestamp: 2018-08-10T01:24:14Z - name: system:build-strategy-docker-binding - resourceVersion: "225" - selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/system%3Abuild-strategy-docker-binding - uid: 17b1f3d4-9c3c-11e8-be62-0800277d20bf -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:build-strategy-docker -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated ----- -<1> Change the `rbac.authorization.kubernetes.io/autoupdate` annotation's value to `"false"`. . Remove the role: + @@ -49,45 +25,14 @@ subjects: $ oc adm policy remove-cluster-role-from-group system:build-strategy-docker system:authenticated ---- -. Ensure the build strategy subresources are also removed from these roles: +. Ensure the build strategy subresources are also removed from the `admin` and `edit` user roles: + [source,terminal] ---- -$ oc edit clusterrole admin +$ oc get clusterrole admin -o yaml | grep "builds/docker" ---- + [source,terminal] ---- -$ oc edit clusterrole edit ----- - -. For each role, specify the subresources that correspond to the resource of the strategy to disable. - -.. Disable the docker Build Strategy for *admin*: -+ -[source,yaml] ----- -kind: ClusterRole -metadata: - name: admin -... -- apiGroups: - - "" - - build.openshift.io - resources: - - buildconfigs - - buildconfigs/webhooks - - builds/custom <1> - - builds/source - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -... +$ oc get clusterrole edit -o yaml | grep "builds/docker" ---- -<1> Add `builds/custom` and `builds/source` to disable docker builds globally for users with the *admin* role.