commit | a168c501326cbe7f2c35a85e06eb0dcef4d3500d | [log] [tgz] |
---|---|---|
author | Sergiusz Bazanski <q3k@hackerspace.pl> | Mon May 11 20:49:31 2020 +0200 |
committer | Sergiusz Bazanski <q3k@hackerspace.pl> | Mon May 11 20:49:31 2020 +0200 |
tree | d423438fbaaee1cac8728d842faae0ed0b3500a2 | |
parent | e3432ee77546c33467806bb76b99f5628705e086 [diff] |
SECURITY: cluster: limit api objects modifiable by namespace admins This previous allowed all namespace admins (ie. personal-$user namespace users) to create any sort of obejct they wanted within that namespace. This could've been exploited to allow creation of a RoleBinding that would then allow to bind a serviceaccount to the insecure podsecuritypolicy, thereby allowing escalation to root on nodes. As far as I've checked, this hasn't been exploited, and the access to the k8s cluster has so far also been limited to trusted users. This has been deployed to production. Change-Id: Icf8747d765ccfa9fed843ec9e7b0b957ff27d96e
hscloud
is the main monorepo of the Warsaw Hackerspace infrastructure code.
Any time you see a //path/like/this
, it refers to the root of hscloud, ie. the path path/like/this
in this repository. Perforce and/or Bazel users should feel right at home.
For a pleaseant web viewing experience, see this documentation in hackdoc. This will allow you to read this markdown file (and others) in a pretty, linkable view.
See //doc/codelabs for tutorials on how to use hscloud.
If you want to browse the source of hscloud
in a web browser, use gerrit's gitiles.
If you want some other help, talk to q3k, informatic or your therapist.
Directories you should care about:
k0.hswaw.net
)Unless noted otherwise, code in hscloud is licensed under the BSD 0-clause license - see COPYING.