mirror of https://github.com/k3s-io/k3s
0e6d3f2abe
Automatic merge from submit-queue (batch tested with PRs 65677, 65711, 65150, 65726). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add additional authorization check for create-on-update **What this PR does / why we need it**: Currently it is possible for a user who is only authorized to update objects to send a PUT request for an object that doesn't currently exist, and if that resource allows create on update, it will all them to create the object. This PR fixes that bug and adds a test case which fails on master, but succeeds when the additional authorization check is done. /sig api-machinery /kind bug /cc @liggitt @lavalamp **Release note**: ```release-note LimitRange and Endpoints resources can be created via an update API call if the object does not already exist. When this occurs, an authorization check is now made to ensure the user making the API call is authorized to create the object. In previous releases, only an update authorization check was performed. ``` |
||
|---|---|---|
| .. | ||
| apiserver | ||
| auth | ||
| benchmark/jsonify | ||
| client | ||
| configmap | ||
| daemonset | ||
| defaulttolerationseconds | ||
| deployment | ||
| etcd | ||
| evictions | ||
| examples | ||
| framework | ||
| garbagecollector | ||
| ipamperf | ||
| master | ||
| metrics | ||
| objectmeta | ||
| openshift | ||
| pods | ||
| quota | ||
| replicaset | ||
| replicationcontroller | ||
| scale | ||
| scheduler | ||
| scheduler_perf | ||
| secrets | ||
| serviceaccount | ||
| statefulset | ||
| storageclasses | ||
| tls | ||
| ttlcontroller | ||
| util | ||
| volume | ||
| BUILD | ||
| benchmark-controller.json | ||
| doc.go | ||
| utils.go | ||