enable SA secret ref limitting per SA. Default to insecure #3907
Conversation
|
Seems reasonable at first glance (I didn't look in great detail yet). I'd define the annotation upstream (what's the case for a different annotation meaning "allow all" between openshift and upstream?), and I'd test for a value of "true", not just presence. |
|
Need to be clear that that modifying annotations of service accounts in the "ensure" list won't reconcile existing service accounts with those names. |
| if options.ServiceAccountConfig.AllowPermissive { | ||
| saAdmitter.AllowAllSecretsAnnotation = configapi.ServiceAccountAllowAnySecretAnnotation | ||
| } | ||
| admissionController = admission.NewChainHandler(admissionController, saAdmitter) |
There was a problem hiding this comment.
We have to keep service account admission at its current position in the chain
There was a problem hiding this comment.
SCC depends on it being set, and quota should come last since a later rejection will allocate quota until the reconcile controller frees it
There was a problem hiding this comment.
SCC depends on it being set, and quota should come last since a later rejection will allocate quota until the reconcile controller frees it
You know what we need: a dependency graph.... :)
deads2k
force-pushed
the
configure-sa-controller
branch
from
0d51598
to
f22116f
Compare
|
comments addressed. |
deads2k
force-pushed
the
configure-sa-controller
branch
2 times, most recently
from
2905eb2
to
b1b4846
Compare
|
@pweil- You worked enough with service accounts to review? |
deads2k
force-pushed
the
configure-sa-controller
branch
from
b1b4846
to
a87d134
Compare
deads2k
changed the title
|
Inverted to be insecure by default. @smarterclayton The way I currently have it will make existing clusters suddenly less secure. Do you want to keep pre-existing configs enforcing? It's easy, I just wasn't sure you'd want to do that because it will be kind of weird config-wise. |
|
I think if we make this change then we'll want to doc it in templates and On Tue, Jul 28, 2015 at 9:23 AM, David Eads notifications@github.com
Clayton Coleman | Lead Engineer, OpenShift |
deads2k
force-pushed
the
configure-sa-controller
branch
from
a87d134
to
d82a094
Compare
|
Renamed to |
I don't want to eliminate that |
|
Also, "secure"/"insecure" are probably misleading terms. Enforcing/permissive might be better |
Is really no different to me than whether enforcing is the default. I On Tue, Jul 28, 2015 at 5:03 PM, Jordan Liggitt notifications@github.com
Clayton Coleman | Lead Engineer, OpenShift |
In order to achieve that, you need the switch to allow a subset of |
|
I'm not sure we have to ensure an enforcing service account in every On Wed, Jul 29, 2015 at 7:37 AM, David Eads notifications@github.com
Clayton Coleman | Lead Engineer, OpenShift |
|
[test] |
1 similar comment
|
[test] |
|
What's the latest on this? On Fri, Aug 7, 2015 at 2:47 PM, David Eads notifications@github.com wrote:
Clayton Coleman | Lead Engineer, OpenShift |
|
Upstream has stalled. We could commit in origin without getting it into upstream. The API hasn't changed, but it would mean that we end up carrying slightly different admission code via patches. Nothing too bad, but @liggitt should take a look. |
| @@ -144,6 +147,15 @@ func (e *ServiceAccountsController) Stop() { | |||
| } | |||
| } | |||
|
|
|||
| func (e *ServiceAccountsController) ensuresServiceAccount(name string) bool { | |||
There was a problem hiding this comment.
weird name... also, unused?
deads2k
force-pushed
the
configure-sa-controller
branch
from
d82a094
to
fd31332
Compare
|
rebased |
| @@ -38,6 +39,9 @@ import ( | |||
| // DefaultServiceAccountName is the name of the default service account to set on pods which do not specify a service account | |||
| const DefaultServiceAccountName = "default" | |||
|
|
|||
| // EnforceMountableSecretsAnnotation is a default annotation that indicates that a service account should enforce mountable secrets | |||
There was a problem hiding this comment.
doc that the value should be "true", not just present
|
nit on annotation doc, admission plugin chain construction changes, then LGTM |
deads2k
force-pushed
the
configure-sa-controller
branch
2 times, most recently
from
bdd0095
to
deb60c0
Compare
|
comments addressed. |
|
flake: #4294 re[test] |
| return nil, err | ||
| } | ||
|
|
||
| masterConfig.ServiceAccountConfig.LimitSecretReferences = true |
There was a problem hiding this comment.
interesting... I like it, but a comment about why we're not using a default would be good to keep this from getting removed by someone
There was a problem hiding this comment.
interesting... I like it, but a comment about why we're not using a default would be good to keep this from getting removed by someone
done
|
LGTM |
|
upstream PR updated? |
deads2k
force-pushed
the
configure-sa-controller
branch
from
deb60c0
to
4f640cd
Compare
yes |
|
[merge] |
|
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/3053/) (Image: devenv-fedora_2187) |
|
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/4361/) |
deads2k
force-pushed
the
configure-sa-controller
branch
from
4f640cd
to
8198fde
Compare
|
Evaluated for origin merge up to 8198fde |
|
Evaluated for origin test up to 8198fde |
Merged by openshift-bot
Upstream kubernetes/kubernetes#11827
@smarterclayton Before I take this upstream, does it do what you want?
@liggitt Did you have something else in mind? This doesn't require any API changes and leave the cluster admin in control as to whether he wants to allow a project admin to do this.