Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include pod namespace in PSP 'use' authorization check #42360

Merged
merged 1 commit into from
Mar 31, 2017
Merged

Include pod namespace in PSP 'use' authorization check #42360

merged 1 commit into from
Mar 31, 2017

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Mar 1, 2017
edited
Loading

Follow up to https://github.com/kubernetes/kubernetes/pull/33080/files#diff-291b8dd7d08cc034975ddb3925dbb08fR341

Prior to this PR, when PodSecurityPolicy admission is active, you must be authorized to use a covering PodSecurityPolicy cluster-wide in order to create a pod. This PR changes that to only require a covering PodSecurityPolicy within the pod's namespace.

When used in concert with mechanisms that limits pods within a namespace to a particular set of nodes, this can be used to allow users to create privileged pods within specific namespaces only.

Permission to use a PodSecurityPolicy can now be granted within a single namespace by allowing the `use` verb on the `podsecuritypolicies` resource within the namespace.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Mar 1, 2017
@k8s-github-robot k8s-github-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Mar 1, 2017
@liggitt
Copy link
Member Author

liggitt commented Mar 1, 2017

cc @pweil- @erictune from original PR
@kubernetes/sig-auth-pr-reviews

@liggitt liggitt added this to the v1.7 milestone Mar 1, 2017
@liggitt liggitt added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-label-needed labels Mar 1, 2017
@k8s-reviewable
Copy link

This change is Reviewable

@liggitt liggitt added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Mar 8, 2017
@derekwaynecarr
Copy link
Member

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 10, 2017
@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 10, 2017
@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 11, 2017
@liggitt liggitt force-pushed the psp-namespaced-use-check branch 2 times, most recently from 1efc60f to 334a5f8 Compare March 11, 2017 04:12
@k8s-github-robot k8s-github-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Mar 11, 2017
@liggitt liggitt added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 11, 2017
@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 23, 2017
@liggitt liggitt force-pushed the psp-namespaced-use-check branch from 334a5f8 to 829e6f6 Compare March 24, 2017 19:14
@liggitt liggitt added the do-not-merge DEPRECATED. Indicates that a PR should not merge. Label can only be manually applied/removed. label Mar 24, 2017
@k8s-github-robot k8s-github-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Mar 24, 2017
@liggitt liggitt assigned pweil-, erictune and deads2k and unassigned derekwaynecarr Mar 28, 2017
@deads2k
Copy link
Contributor

deads2k commented Mar 28, 2017

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 28, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, derekwaynecarr, liggitt

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@liggitt
Copy link
Member Author

liggitt commented Mar 28, 2017

@k8s-bot bazel test this

@liggitt liggitt removed the do-not-merge DEPRECATED. Indicates that a PR should not merge. Label can only be manually applied/removed. label Mar 29, 2017
@liggitt
Copy link
Member Author

liggitt commented Mar 31, 2017

@k8s-bot bazel test this
@k8s-bot node e2e test this

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 42360, 43109, 43737, 43853)

@k8s-github-robot k8s-github-robot merged commit cc571d1 into kubernetes:master Mar 31, 2017
@liggitt liggitt deleted the psp-namespaced-use-check branch March 31, 2017 18:43
@jhorwit2 jhorwit2 mentioned this pull request Apr 3, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@derekwaynecarr derekwaynecarr derekwaynecarr approved these changes

Assignees

@pweil- pweil-

@erictune erictune

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.7
Development

Successfully merging this pull request may close these issues.
8 participants
@liggitt @k8s-reviewable @derekwaynecarr @deads2k @k8s-github-robot @pweil- @erictune @k8s-ci-robot