Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP3:Update
kubernetes1.24.35690
bypass-mountable-secrets-policy-imposed-by-SA-a...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File bypass-mountable-secrets-policy-imposed-by-SA-admission-plugin.patch of Package kubernetes1.24.35690
From: distributors-announce <distributors-announce@kubernetes.io> Date: Tue, 2 Apr 2024 22:31:33 -0700 Subject: Fix CVE-2024-3177 --- .../pkg/admission/serviceaccount/admission.go | 21 +++ .../serviceaccount/admission_test.go | 127 ++++++++++++++++-- 2 files changed, 134 insertions(+), 14 deletions(-) Index: kubernetes-1.24.17/plugin/pkg/admission/serviceaccount/admission.go =================================================================== --- kubernetes-1.24.17.orig/plugin/pkg/admission/serviceaccount/admission.go +++ kubernetes-1.24.17/plugin/pkg/admission/serviceaccount/admission.go @@ -338,6 +338,13 @@ func (s *Plugin) limitSecretReferences(s } } } + for _, envFrom := range container.EnvFrom { + if envFrom.SecretRef != nil { + if !mountableSecrets.Has(envFrom.SecretRef.Name) { + return fmt.Errorf("init container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name) + } + } + } } for _, container := range pod.Spec.Containers { @@ -348,6 +355,13 @@ func (s *Plugin) limitSecretReferences(s } } } + for _, envFrom := range container.EnvFrom { + if envFrom.SecretRef != nil { + if !mountableSecrets.Has(envFrom.SecretRef.Name) { + return fmt.Errorf("container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name) + } + } + } } // limit pull secret references as well @@ -389,6 +403,13 @@ func (s *Plugin) limitEphemeralContainer } } } + for _, envFrom := range container.EnvFrom { + if envFrom.SecretRef != nil { + if !mountableSecrets.Has(envFrom.SecretRef.Name) { + return fmt.Errorf("ephemeral container %s with envFrom referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, envFrom.SecretRef.Name, serviceAccount.Name) + } + } + } } return nil } Index: kubernetes-1.24.17/plugin/pkg/admission/serviceaccount/admission_test.go =================================================================== --- kubernetes-1.24.17.orig/plugin/pkg/admission/serviceaccount/admission_test.go +++ kubernetes-1.24.17/plugin/pkg/admission/serviceaccount/admission_test.go @@ -28,7 +28,6 @@ import ( v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" - "k8s.io/apimachinery/pkg/util/diff" "k8s.io/apiserver/pkg/admission" admissiontesting "k8s.io/apiserver/pkg/admission/testing" "k8s.io/client-go/informers" @@ -225,10 +224,10 @@ func TestAssignsDefaultServiceAccountAnd } if !reflect.DeepEqual(expectedVolumes, pod.Spec.Volumes) { - t.Errorf("unexpected volumes: %s", diff.ObjectReflectDiff(expectedVolumes, pod.Spec.Volumes)) + t.Errorf("unexpected volumes: %s", cmp.Diff(expectedVolumes, pod.Spec.Volumes)) } if !reflect.DeepEqual(expectedVolumeMounts, pod.Spec.Containers[0].VolumeMounts) { - t.Errorf("unexpected volumes: %s", diff.ObjectReflectDiff(expectedVolumeMounts, pod.Spec.Containers[0].VolumeMounts)) + t.Errorf("unexpected volumes: %s", cmp.Diff(expectedVolumeMounts, pod.Spec.Containers[0].VolumeMounts)) } // ensure result converted to v1 matches defaulted object @@ -524,6 +523,25 @@ func TestAllowsReferencedSecret(t *testi pod2 = &api.Pod{ Spec: api.PodSpec{ + Containers: []api.Container{ + { + Name: "container-1", + EnvFrom: []api.EnvFromSource{ + { + SecretRef: &api.SecretEnvSource{ + LocalObjectReference: api.LocalObjectReference{ + Name: "foo"}}}}, + }, + }, + }, + } + attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil) + if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil { + t.Errorf("Unexpected error: %v", err) + } + + pod2 = &api.Pod{ + Spec: api.PodSpec{ InitContainers: []api.Container{ { Name: "container-1", @@ -548,6 +566,25 @@ func TestAllowsReferencedSecret(t *testi pod2 = &api.Pod{ Spec: api.PodSpec{ + InitContainers: []api.Container{ + { + Name: "container-1", + EnvFrom: []api.EnvFromSource{ + { + SecretRef: &api.SecretEnvSource{ + LocalObjectReference: api.LocalObjectReference{ + Name: "foo"}}}}, + }, + }, + }, + } + attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil) + if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil { + t.Errorf("Unexpected error: %v", err) + } + + pod2 = &api.Pod{ + Spec: api.PodSpec{ ServiceAccountName: DefaultServiceAccountName, EphemeralContainers: []api.EphemeralContainer{ { @@ -573,6 +610,28 @@ func TestAllowsReferencedSecret(t *testi if err := admit.Validate(context.TODO(), attrs, nil); err != nil { t.Errorf("Unexpected error: %v", err) } + + pod2 = &api.Pod{ + Spec: api.PodSpec{ + ServiceAccountName: DefaultServiceAccountName, + EphemeralContainers: []api.EphemeralContainer{ + { + EphemeralContainerCommon: api.EphemeralContainerCommon{ + Name: "container-2", + EnvFrom: []api.EnvFromSource{{ + SecretRef: &api.SecretEnvSource{ + LocalObjectReference: api.LocalObjectReference{ + Name: "foo"}}}}, + }, + }, + }, + }, + } + // validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers" + attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil) + if err := admit.Validate(context.TODO(), attrs, nil); err != nil { + t.Errorf("Unexpected error: %v", err) + } } func TestRejectsUnreferencedSecretVolumes(t *testing.T) { @@ -629,25 +688,20 @@ func TestRejectsUnreferencedSecretVolume pod2 = &api.Pod{ Spec: api.PodSpec{ - InitContainers: []api.Container{ + Containers: []api.Container{ { Name: "container-1", - Env: []api.EnvVar{ + EnvFrom: []api.EnvFromSource{ { - Name: "env-1", - ValueFrom: &api.EnvVarSource{ - SecretKeyRef: &api.SecretKeySelector{ - LocalObjectReference: api.LocalObjectReference{Name: "foo"}, - }, - }, - }, - }, + SecretRef: &api.SecretEnvSource{ + LocalObjectReference: api.LocalObjectReference{ + Name: "foo"}}}}, }, }, }, } attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil) - if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") { + if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") { t.Errorf("Unexpected error: %v", err) } @@ -683,6 +737,30 @@ func TestRejectsUnreferencedSecretVolume pod2 = &api.Pod{ Spec: api.PodSpec{ ServiceAccountName: DefaultServiceAccountName, + InitContainers: []api.Container{ + { + Name: "container-1", + EnvFrom: []api.EnvFromSource{ + { + SecretRef: &api.SecretEnvSource{ + LocalObjectReference: api.LocalObjectReference{ + Name: "foo"}}}}, + }, + }, + }, + } + attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Update, &metav1.UpdateOptions{}, false, nil) + if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil { + t.Errorf("admit only enforces restrictions on secret mounts when operation==create. Unexpected error: %v", err) + } + attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil) + if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") { + t.Errorf("validate only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err) + } + + pod2 = &api.Pod{ + Spec: api.PodSpec{ + ServiceAccountName: DefaultServiceAccountName, EphemeralContainers: []api.EphemeralContainer{ { EphemeralContainerCommon: api.EphemeralContainerCommon{ @@ -710,6 +788,27 @@ func TestRejectsUnreferencedSecretVolume if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") { t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err) } + + pod2 = &api.Pod{ + Spec: api.PodSpec{ + ServiceAccountName: DefaultServiceAccountName, + EphemeralContainers: []api.EphemeralContainer{ + { + EphemeralContainerCommon: api.EphemeralContainerCommon{ + Name: "container-2", + EnvFrom: []api.EnvFromSource{{ + SecretRef: &api.SecretEnvSource{ + LocalObjectReference: api.LocalObjectReference{ + Name: "foo"}}}}, + }, + }, + }, + }, + } + attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil) + if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envFrom") { + t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err) + } } func TestAllowUnreferencedSecretVolumesForPermissiveSAs(t *testing.T) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor