[go: nahoru, domu]
HomePhabricator
Diffusion operations-software-kubernetes 8938d75cc10b

Add uidenforcer admission controller
8938d75cc10b
Actions

Tags
None
Referenced Files
None
Subscribers
None

Description

Add uidenforcer admission controller

Enforces that:

  • All namespaces have a RunAsUser annotation
  • Namespaced users can't touch annotations on their own namespace
  • Pods in a namespace will have RunAsUser set in all the containers to the RunAsUser annotation
  • Requires whitelisting of the resources that each user can access in an ABAC file
  • Does not let non-empty SecurityContexts pass through at all, since they can have capabilities or other dangerous things in the future

Change-Id: Ie9fc11c5f8849225b04ac3e581e2eaafaf36bc44

Details

Provenance
yuvipandaAuthored on Oct 25 2015, 2:10 AM
Parents
rOSKU283137936a49: Kubernetes version v1.3.0
Branches
Unknown
Tags
Unknown
ChangeId
Ie9fc11c5f8849225b04ac3e581e2eaafaf36bc44

Event Timeline

Changes (4)

PathSize
cmd/
kube-apiserver/
app/
plugin/
pkg/
admission/
uidenforcer/

rOSKU8938d75cc10b

View Options

cmd/kube-apiserver/app/plugins.go

Loading...
View Options

plugin/pkg/admission/uidenforcer/admission.go

Loading...
View Options

plugin/pkg/admission/uidenforcer/admission_test.go

Loading...
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits