UPSTREAM: <carry>: Remove write permissions on daemonsets from Kubernetes bootstrap policy #18971
Conversation
openshift-ci-robot
added
sig/security
kind/bug
openshift-merge-robot
added
the
vendor-update
openshift-ci-robot
added
the
size/L
…etes bootstrap policy Due to how daemonsets interact with the project node selector, we need to limit write access to them to the cluster admin. Bug 1536304 Bug 1501514 Signed-off-by: Monis Khan <mkhan@redhat.com>
Bug 1536304 Bug 1501514 Signed-off-by: Monis Khan <mkhan@redhat.com>
enj
force-pushed
the
enj/i/disable_daemonset_carry/1536304,1501514
branch
from
6b82223
to
a42347b
Compare
|
/lgtm |
openshift-ci-robot
added
lgtm
|
I think it would be consistent to remove read permission as well otherwise it just more confusing. There is no reason regular user should even see a daemonset nor create it. /cherrypick release-3.9 |
|
@tnozicka: once the present PR merges, I will cherry-pick it on top of release-3.9 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
no. |
|
@liggitt so if someone disables DS for their regular users on their cluster like Online; Why should making security decision about permissions be restricted by a way how some command is implemented? |
Letting a user see daemonsets running in their namespace is not problematic. |
Yes, it isn't problematic. It is also not ideal. But I can live with that. |
|
removing just write lgtm do we need that in 3.7? (do we use the same permission model from upstream there?) /retest |
|
/approve The @simo5 can we cancel the hold here? |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, mfojtik, simo5 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
We pulled these in #17976 so this only needs to go back to 3.9. |
|
@enj: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Automatic merge from submit-queue. |
|
@tnozicka: new pull request created: #18977 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Due to how daemonsets interact with the project node selector, we need to limit write access to them to the cluster admin.
Bug 1536304
Bug 1501514
Signed-off-by: Monis Khan mkhan@redhat.com
/kind bug
/assign @liggitt @deads2k @simo5 @smarterclayton
@openshift/sig-security
/cherrypick release-3.9