Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

check pod securityContext hostNetwork in exec admission controller #56839

Merged
merged 1 commit into from
Jan 2, 2018
Merged

check pod securityContext hostNetwork in exec admission controller #56839

merged 1 commit into from
Jan 2, 2018

Conversation

hzxuzhonghu
Copy link
Member

@hzxuzhonghu hzxuzhonghu commented Dec 5, 2017
edited
Loading

What this PR does / why we need it:
currently only hostIPC hostPID are checked in DenyEscalatingExec admission controller,
hostNetwork should also be checked to deny exec /attach
Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #56838

Special notes for your reviewer:

Release note:

check psp HostNetwork in DenyEscalatingExec admission controller.

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 5, 2017
@CaoShuFeng
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot removed the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Dec 5, 2017
@CaoShuFeng
Copy link
Contributor

Tightening this would effect users, so a release note is better.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Dec 5, 2017
@hzxuzhonghu
Copy link
Member Author

/cc @liggitt @sttts

@deads2k
Copy link
Contributor

deads2k commented Jan 2, 2018

/approve
/assign liggitt

I'm fine with it.

@kubernetes kubernetes deleted a comment from k8s-github-robot Jan 2, 2018
@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 2, 2018
@liggitt
Copy link
Member

liggitt commented Jan 2, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 2, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, hzxuzhonghu, liggitt

Associated issue: #56838

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot
Copy link

/test all

Tests are more than 96 hours old. Re-running tests.

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 57746, 57621, 56839, 57464). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 45a069a into kubernetes:master Jan 2, 2018
@hzxuzhonghu hzxuzhonghu deleted the exec-admission branch January 3, 2018 01:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt Awaiting requested review from liggitt

@sttts sttts Awaiting requested review from sttts

Assignees

@liggitt liggitt

@derekwaynecarr derekwaynecarr

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

DenyEscalatingExec admission controller should check psp hostNetwork
7 participants
@hzxuzhonghu @CaoShuFeng @deads2k @liggitt @k8s-ci-robot @k8s-github-robot @derekwaynecarr