SECURITY: cluster: limit api objects modifiable by namespace admins
This previous allowed all namespace admins (ie. personal-$user namespace
users) to create any sort of obejct they wanted within that namespace.
This could've been exploited to allow creation of a RoleBinding that
would then allow to bind a serviceaccount to the insecure
podsecuritypolicy, thereby allowing escalation to root on nodes.
As far as I've checked, this hasn't been exploited, and the access to
the k8s cluster has so far also been limited to trusted users.
This has been deployed to production.
Change-Id: Icf8747d765ccfa9fed843ec9e7b0b957ff27d96e
diff --git a/cluster/kube/cluster.jsonnet b/cluster/kube/cluster.jsonnet
index 9a2abdb..9ae9633 100644
--- a/cluster/kube/cluster.jsonnet
+++ b/cluster/kube/cluster.jsonnet
@@ -108,10 +108,15 @@
crFullInNamespace: kube.ClusterRole("system:admin-namespace") {
rules: [
{
- apiGroups: ["*"],
+ apiGroups: ["", "extensions", "apps"],
resources: ["*"],
verbs: ["*"],
},
+ {
+ apiGroups: ["batch"],
+ resources: ["jobs", "cronjobs"],
+ verbs: ["*"],
+ },
],
},
// This ClusterRoleBindings allows root access to cluster admins.