Merge pull request #64837 from liggitt/mirror-pod-node-authorizer-graph

Automatic merge from submit-queue (batch tested with PRs 65254, 64837, 64782, 64555, 64850). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Short-circuit node authorizer graph edges for mirror pods When building the graph of resources allowed to a node by a given pod, short-circuit adding edges to other resources for mirror pods. A node must never be able to create a pod that grants them permissions on other API objects. The NodeRestriction admission plugin prevents creation of such pods, but short-circuiting here gives us defense in depth. /assign @tallclair /sig auth ```release-note NONE ```
2018-06-20 11:28:09 -07:00 · 2018-06-20 11:28:09 -07:00 · 83633d5bc3
parent f5763a9702 c8a0f52d5d
commit 83633d5bc3
1 changed files with 7 additions and 0 deletions
--- a/plugin/pkg/auth/authorizer/node/graph.go
+++ b/plugin/pkg/auth/authorizer/node/graph.go
@ -314,6 +314,13 @@ func (g *Graph) AddPod(pod *api.Pod) {
 	nodeVertex := g.getOrCreateVertex_locked(nodeVertexType, "", pod.Spec.NodeName)
 	g.graph.SetEdge(newDestinationEdge(podVertex, nodeVertex, nodeVertex))

+	// Short-circuit adding edges to other resources for mirror pods.
+	// A node must never be able to create a pod that grants them permissions on other API objects.
+	// The NodeRestriction admission plugin prevents creation of such pods, but short-circuiting here gives us defense in depth.
+	if _, isMirrorPod := pod.Annotations[api.MirrorPodAnnotationKey]; isMirrorPod {
+		return
+	}
+
 	// TODO(mikedanese): If the pod doesn't mount the service account secrets,
 	// should the node still get access to the service account?
 	//