github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-22 11:21:47 +00:00
Code Issues Projects Releases Wiki Activity

prevent disallowed secret refs from leaking via the downward API

Browse Source
This commit is contained in:
deads2k 2016-03-11 13:27:50 -05:00
parent 502d2457bb
commit 9d22f8b5a7
2 changed files with 66 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
plugin/pkg/admission/serviceaccount/admission.go
View File

@ -324,6 +324,16 @@ func (s *serviceAccount) limitSecretReferences(serviceAccount *api.ServiceAccoun
} }
} }
for _, container := range pod.Spec.Containers {
for _, env := range container.Env {
if env.ValueFrom != nil && env.ValueFrom.SecretKeyRef != nil {
if !mountableSecrets.Has(env.ValueFrom.SecretKeyRef.Name) {
return fmt.Errorf("Container %s with envVar %s referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, env.Name, env.ValueFrom.SecretKeyRef.Name, serviceAccount.Name)
}
}
}
}
// limit pull secret references as well // limit pull secret references as well
pullSecrets := sets.NewString() pullSecrets := sets.NewString()
for _, s := range serviceAccount.ImagePullSecrets { for _, s := range serviceAccount.ImagePullSecrets {

65
plugin/pkg/admission/serviceaccount/admission_test.go
View File

@ -18,6 +18,7 @@ package serviceaccount
import ( import (
"reflect" "reflect"
"strings"
"testing" "testing"
"k8s.io/kubernetes/pkg/admission" "k8s.io/kubernetes/pkg/admission"
@ -367,7 +368,7 @@ func TestRespectsExistingMount(t *testing.T) {
} }
} }
func TestAllowsReferencedSecretVolumes(t *testing.T) { func TestAllowsReferencedSecret(t *testing.T) {
ns := "myns" ns := "myns"
admit := NewServiceAccount(nil) admit := NewServiceAccount(nil)
@ -385,16 +386,39 @@ func TestAllowsReferencedSecretVolumes(t *testing.T) {
}, },
}) })
pod := &api.Pod{ pod1 := &api.Pod{
Spec: api.PodSpec{ Spec: api.PodSpec{
Volumes: []api.Volume{ Volumes: []api.Volume{
{VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "foo"}}}, {VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "foo"}}},
}, },
}, },
} }
attrs := admission.NewAttributesRecord(pod, api.Kind("Pod"), ns, "myname", api.Resource("pods"), "", admission.Create, nil) attrs := admission.NewAttributesRecord(pod1, api.Kind("Pod"), ns, "myname", api.Resource("pods"), "", admission.Create, nil)
err := admit.Admit(attrs) if err := admit.Admit(attrs); err != nil {
if err != nil { t.Errorf("Unexpected error: %v", err)
}
pod2 := &api.Pod{
Spec: api.PodSpec{
Containers: []api.Container{
{
Name: "container-1",
Env: []api.EnvVar{
{
Name: "env-1",
ValueFrom: &api.EnvVarSource{
SecretKeyRef: &api.SecretKeySelector{
LocalObjectReference: api.LocalObjectReference{Name: "foo"},
},
},
},
},
},
},
},
}
attrs = admission.NewAttributesRecord(pod2, api.Kind("Pod"), ns, "myname", api.Resource("pods"), "", admission.Create, nil)
if err := admit.Admit(attrs); err != nil {
t.Errorf("Unexpected error: %v", err) t.Errorf("Unexpected error: %v", err)
} }
} }
@ -414,18 +438,41 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
}, },
}) })
pod := &api.Pod{ pod1 := &api.Pod{
Spec: api.PodSpec{ Spec: api.PodSpec{
Volumes: []api.Volume{ Volumes: []api.Volume{
{VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "foo"}}}, {VolumeSource: api.VolumeSource{Secret: &api.SecretVolumeSource{SecretName: "foo"}}},
}, },
}, },
} }
attrs := admission.NewAttributesRecord(pod, api.Kind("Pod"), ns, "myname", api.Resource("pods"), "", admission.Create, nil) attrs := admission.NewAttributesRecord(pod1, api.Kind("Pod"), ns, "myname", api.Resource("pods"), "", admission.Create, nil)
err := admit.Admit(attrs) if err := admit.Admit(attrs); err == nil {
if err == nil {
t.Errorf("Expected rejection for using a secret the service account does not reference") t.Errorf("Expected rejection for using a secret the service account does not reference")
} }
pod2 := &api.Pod{
Spec: api.PodSpec{
Containers: []api.Container{
{
Name: "container-1",
Env: []api.EnvVar{
{
Name: "env-1",
ValueFrom: &api.EnvVarSource{
SecretKeyRef: &api.SecretKeySelector{
LocalObjectReference: api.LocalObjectReference{Name: "foo"},
},
},
},
},
},
},
},
}
attrs = admission.NewAttributesRecord(pod2, api.Kind("Pod"), ns, "myname", api.Resource("pods"), "", admission.Create, nil)
if err := admit.Admit(attrs); err == nil || !strings.Contains(err.Error(), "with envVar") {
t.Errorf("Unexpected error: %v", err)
}
} }
func TestAllowUnreferencedSecretVolumesForPermissiveSAs(t *testing.T) { func TestAllowUnreferencedSecretVolumesForPermissiveSAs(t *testing.T) {