If someone gains the ability to create static pods, they might try to use that
ability to run code which gets access to the resources associated with some
existing claim which was previously allocated for some other pod. Such an
attempt already fails because the claim status tracks which pods are allowed to
use the claim, the static pod is not in that list, the node is not authorized
to add it, and the kubelet checks that list before starting the pod in
195803cde5/pkg/kubelet/cm/dra/manager.go (L218-L222).
Even if the pod were started, DRA drivers typically manage node-local resources
which can already be accessed via such an attack without involving DRA. DRA
drivers which manage non-node-local resources have to consider access by a
compromised node as part of their threat model.
Nonetheless, it is better to not accept static pods which reference
ResourceClaims or ResourceClaimTemplates in the first place because there
is no valid use case for it.
This is done at different levels for defense in depth:
- configuration validation in the kubelet
- admission checking of node restrictions
- API validation
Co-authored-by: Jordan Liggitt <liggitt@google.com>
Code changes by Jordan, with one small change (resourceClaims -> resourceclaims).
Unit tests by Patrick.
* Change: Handling nil runtime.Object
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Return only if there is error in rollout_history
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Return the unknown revision error directly in rollout_history.go
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Remove unintended newline
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Using go idiomatic way for checking if historyInfo[o.Revision] exists
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Remove 'error:' from returned error message in rollout_history.go
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Check for printer.PrintObj returned err
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Add TestRolloutHistoryErrors test
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Simple typo fix on Complete() function description
Signed-off-by: Taha Farahani <tahacodes@proton.me>
* Change: Checking for error on o.Complete in TestRolloutHistoryErrors
Signed-off-by: Taha Farahani <tahacodes@proton.me>
---------
Signed-off-by: Taha Farahani <tahacodes@proton.me>
This PR fixes a possible panic caused by decoding a JSON document
followed by a YAML document that is shorter than the first json
document.
This can cause a panic because the stream already consumed the JSON
data. When we fallback to YAML reader, the YAML starts with a zero
offset while the stream consumed data is non-zero. This could lead into
consuming negative bytes because `d.yaml.InputOffset() -
d.stream.Consumed()` is negative which will cause a panic.
Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
With StreamingCollectionEncodingToJSON and
StreamingCollectionEncodingToProtobuf, the WatchList must re-justify its
necessity. To prevent an ecosystem from building around a feature that
may not be promoted, we will stop serving list-via-watch until
performance numbers can justify its inclusion.
This also stops the kube-controller-manager from using the
list-via-watch by default. The fallback is a regular list, so during
the skew during an upgrade the "right" thing will happen and the new
StreamingCollectionEncoding will be used.
This change modifies the validation logic for ServiceCIDR updates
(`ValidateServiceCIDRUpdate`) to specifically permit upgrading a
single-stack ServiceCIDR (either IPv4 or IPv6) to a dual-stack
configuration.
This reconfiguration path is considered safe because it only involves adding
a new CIDR range without altering the existing primary CIDR. This
ensures that existing Service IP allocations are not disrupted.
Other modifications, such as:
- Downgrading from dual-stack to single-stack
- Reordering CIDRs in a dual-stack configuration
- Changing the primary CIDR during a single-to-dual-stack
reconfiguration
remain disallowed by the validation. These operations carry a higher
risk of breaking existing Services or cluster networking
configurations. Preventing these updates automatically encourages
administrators to perform such changes manually after carefully
assessing the potential impact on their specific cluster environment.
The validation errors and controller logs provide guidance when such
disallowed changes are attempted.
Change-Id: I41dc09dfddb05f277925da2262f8114d6accbd1d
