-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enable SA secret ref limitting per SA. Default to insecure #3907
enable SA secret ref limitting per SA. Default to insecure #3907
Conversation
Seems reasonable at first glance (I didn't look in great detail yet). I'd define the annotation upstream (what's the case for a different annotation meaning "allow all" between openshift and upstream?), and I'd test for a value of "true", not just presence. |
Need to be clear that that modifying annotations of service accounts in the "ensure" list won't reconcile existing service accounts with those names. |
if options.ServiceAccountConfig.AllowPermissive { | ||
saAdmitter.AllowAllSecretsAnnotation = configapi.ServiceAccountAllowAnySecretAnnotation | ||
} | ||
admissionController = admission.NewChainHandler(admissionController, saAdmitter) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have to keep service account admission at its current position in the chain
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SCC depends on it being set, and quota should come last since a later rejection will allocate quota until the reconcile controller frees it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SCC depends on it being set, and quota should come last since a later rejection will allocate quota until the reconcile controller frees it
You know what we need: a dependency graph.... :)
0d51598
to
f22116f
Compare
comments addressed. |
2905eb2
to
b1b4846
Compare
@pweil- You worked enough with service accounts to review? |
b1b4846
to
a87d134
Compare
Inverted to be insecure by default. @smarterclayton The way I currently have it will make existing clusters suddenly less secure. Do you want to keep pre-existing configs enforcing? It's easy, I just wasn't sure you'd want to do that because it will be kind of weird config-wise. |
I think if we make this change then we'll want to doc it in templates and On Tue, Jul 28, 2015 at 9:23 AM, David Eads notifications@github.com
Clayton Coleman | Lead Engineer, OpenShift |
a87d134
to
d82a094
Compare
Renamed to |
I don't want to eliminate that |
Also, "secure"/"insecure" are probably misleading terms. Enforcing/permissive might be better |
Is really no different to me than whether enforcing is the default. I On Tue, Jul 28, 2015 at 5:03 PM, Jordan Liggitt notifications@github.com
Clayton Coleman | Lead Engineer, OpenShift |
In order to achieve that, you need the switch to allow a subset of |
I'm not sure we have to ensure an enforcing service account in every On Wed, Jul 29, 2015 at 7:37 AM, David Eads notifications@github.com
Clayton Coleman | Lead Engineer, OpenShift |
[test] |
1 similar comment
[test] |
What's the latest on this? On Fri, Aug 7, 2015 at 2:47 PM, David Eads notifications@github.com wrote:
Clayton Coleman | Lead Engineer, OpenShift |
Upstream has stalled. We could commit in origin without getting it into upstream. The API hasn't changed, but it would mean that we end up carrying slightly different admission code via patches. Nothing too bad, but @liggitt should take a look. |
@@ -144,6 +147,15 @@ func (e *ServiceAccountsController) Stop() { | |||
} | |||
} | |||
|
|||
func (e *ServiceAccountsController) ensuresServiceAccount(name string) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
weird name... also, unused?
d82a094
to
fd31332
Compare
rebased |
@@ -38,6 +39,9 @@ import ( | |||
// DefaultServiceAccountName is the name of the default service account to set on pods which do not specify a service account | |||
const DefaultServiceAccountName = "default" | |||
|
|||
// EnforceMountableSecretsAnnotation is a default annotation that indicates that a service account should enforce mountable secrets |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
doc that the value should be "true", not just present
nit on annotation doc, admission plugin chain construction changes, then LGTM |
bdd0095
to
deb60c0
Compare
comments addressed. |
flake: #4294 re[test] |
return nil, err | ||
} | ||
|
||
masterConfig.ServiceAccountConfig.LimitSecretReferences = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
interesting... I like it, but a comment about why we're not using a default would be good to keep this from getting removed by someone
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
interesting... I like it, but a comment about why we're not using a default would be good to keep this from getting removed by someone
done
LGTM |
upstream PR updated? |
deb60c0
to
4f640cd
Compare
yes |
[merge] |
continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_requests_origin/3053/) (Image: devenv-fedora_2187) |
continuous-integration/openshift-jenkins/test FAILURE (https://ci.openshift.redhat.com/jenkins/job/test_pull_requests_origin/4361/) |
4f640cd
to
8198fde
Compare
Evaluated for origin merge up to 8198fde |
Evaluated for origin test up to 8198fde |
Merged by openshift-bot
Upstream kubernetes/kubernetes#11827
@smarterclayton Before I take this upstream, does it do what you want?
@liggitt Did you have something else in mind? This doesn't require any API changes and leave the cluster admin in control as to whether he wants to allow a project admin to do this.