From c8a0f52d5d85ece66cf74e7960aee5afb22c32b4 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <jliggitt@redhat.com>
Date: Wed, 6 Jun 2018 11:34:14 -0400
Subject: [PATCH] Short-circuit node authorizer graph edges for mirror pods

---
 plugin/pkg/auth/authorizer/node/graph.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/plugin/pkg/auth/authorizer/node/graph.go b/plugin/pkg/auth/authorizer/node/graph.go
index 5781b56b01..48e406d538 100644
--- a/plugin/pkg/auth/authorizer/node/graph.go
+++ b/plugin/pkg/auth/authorizer/node/graph.go
@@ -314,6 +314,13 @@ func (g *Graph) AddPod(pod *api.Pod) {
 	nodeVertex := g.getOrCreateVertex_locked(nodeVertexType, "", pod.Spec.NodeName)
 	g.graph.SetEdge(newDestinationEdge(podVertex, nodeVertex, nodeVertex))
 
+	// Short-circuit adding edges to other resources for mirror pods.
+	// A node must never be able to create a pod that grants them permissions on other API objects.
+	// The NodeRestriction admission plugin prevents creation of such pods, but short-circuiting here gives us defense in depth.
+	if _, isMirrorPod := pod.Annotations[api.MirrorPodAnnotationKey]; isMirrorPod {
+		return
+	}
+
 	// TODO(mikedanese): If the pod doesn't mount the service account secrets,
 	// should the node still get access to the service account?
 	//