mirror of https://github.com/k3s-io/k3s
83633d5bc3
Automatic merge from submit-queue (batch tested with PRs 65254, 64837, 64782, 64555, 64850). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Short-circuit node authorizer graph edges for mirror pods When building the graph of resources allowed to a node by a given pod, short-circuit adding edges to other resources for mirror pods. A node must never be able to create a pod that grants them permissions on other API objects. The NodeRestriction admission plugin prevents creation of such pods, but short-circuiting here gives us defense in depth. /assign @tallclair /sig auth ```release-note NONE ``` |
||
|---|---|---|
| .. | ||
| pkg | ||
| BUILD | ||
| OWNERS | ||