github/k3s - k3s - https://git.xinac.net

Commit Graph

Author	SHA1	Message	Date
Jan Safranek	5110db5087	Lock subPath volumes Users must not be allowed to step outside the volume with subPath. Therefore the final subPath directory must be "locked" somehow and checked if it's inside volume. On Windows, we lock the directories. On Linux, we bind-mount the final subPath into /var/lib/kubelet/pods/<uid>/volume-subpaths/<container name>/<subPathName>, it can't be changed to symlink user once it's bind-mounted.	2018-03-05 09:14:44 +01:00
Pengfei Ni	b0a49e1970	Update unit tests and bazel files	2018-02-28 09:56:46 +08:00

Author

SHA1

Message

Date

Jan Safranek

5110db5087

Lock subPath volumes

Users must not be allowed to step outside the volume with subPath.
Therefore the final subPath directory must be "locked" somehow
and checked if it's inside volume.

On Windows, we lock the directories. On Linux, we bind-mount the final
subPath into /var/lib/kubelet/pods/<uid>/volume-subpaths/<container name>/<subPathName>,
it can't be changed to symlink user once it's bind-mounted.

2018-03-05 09:14:44 +01:00

Pengfei Ni

b0a49e1970

Update unit tests and bazel files

2018-02-28 09:56:46 +08:00

2 Commits (72f8a369d021037ca6179339d50ad595b5462a6c)