upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-03-10 18:40:55 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
kubernetes/plugin/pkg/auth/authorizer
History
Kubernetes Submit Queue 83633d5bc3
Merge pull request #64837 from liggitt/mirror-pod-node-authorizer-graph 
Automatic merge from submit-queue (batch tested with PRs 65254, 64837, 64782, 64555, 64850). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Short-circuit node authorizer graph edges for mirror pods

When building the graph of resources allowed to a node by a given pod, short-circuit adding edges to other resources for mirror pods. A node must never be able to create a pod that grants them permissions on other API objects. The NodeRestriction admission plugin prevents creation of such pods, but short-circuiting here gives us defense in depth.

/assign @tallclair
/sig auth

```release-note
NONE
```
2018-06-20 11:28:09 -07:00
..
node Short-circuit node authorizer graph edges for mirror pods 2018-06-06 11:34:14 -04:00
rbac Added PV GET api rule to external-provisioner 2018-06-13 14:49:58 -07:00
BUILD update BUILD files 2017-10-15 18:18:13 -07:00
doc.go Use Go canonical import paths 2016-07-16 13:48:21 -04:00