Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

subpath fixes #61044

Merged
merged 3 commits into from
Mar 12, 2018
Merged

subpath fixes #61044

merged 3 commits into from
Mar 12, 2018

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Mar 12, 2018
edited
Loading

fixes #60813 for master / 1.10

Fixes CVE-2017-1002101 - See https://issue.k8s.io/60813 for details

jsafrane and others added 3 commits March 5, 2018 09:14
@jsafrane
Lock subPath volumes
5110db5 
Users must not be allowed to step outside the volume with subPath.
Therefore the final subPath directory must be "locked" somehow
and checked if it's inside volume.

On Windows, we lock the directories. On Linux, we bind-mount the final
subPath into /var/lib/kubelet/pods/<uid>/volume-subpaths/<container name>/<subPathName>,
it can't be changed to symlink user once it's bind-mounted.
@jsafrane
Add subpath e2e tests
ba818d8
@msau42 @jsafrane
Add feature gate for subpath
f6d97b5
@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 12, 2018
This was referenced Mar 12, 2018
Merged
Merged
Merged
@liggitt liggitt added the sig/storage Categorizes an issue or PR as relevant to SIG Storage. label Mar 12, 2018
@liggitt liggitt added this to the v1.10 milestone Mar 12, 2018
@liggitt liggitt added kind/bug Categorizes issue or PR as related to a bug. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. status/approved-for-milestone labels Mar 12, 2018
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Mar 12, 2018
@liggitt
Copy link
Member Author

liggitt commented Mar 12, 2018

error pulling image configuration: Get https://registry-1.docker.io/v2/ppc64le/busybox/blobs/sha256:e12035105c933ea356e8f8c1399328fc8f7a38cd69b6fac293ee683241b5673b: dial tcp: lookup registry-1.docker.io on 10.63.240.10:53: write udp 10.60.80.129:48169->10.63.240.10:53: write: operation not permitted

/retest

@tallclair
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 12, 2018
@smarterclayton
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 12, 2018
@smarterclayton
Copy link
Contributor

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, smarterclayton, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-github-robot
Copy link

[MILESTONENOTIFIER] Milestone Pull Request: Up-to-date for process

@jsafrane @liggitt @msau42 @smarterclayton @tallclair

Pull Request Labels
  • sig/storage: Pull Request will be escalated to these SIGs if needed.
  • priority/critical-urgent: Never automatically move pull request out of a release milestone; continually escalate to contributor and SIG through all available channels.
  • kind/bug: Fixes a bug discovered during the current release.
Help

@liggitt
Copy link
Member Author

liggitt commented Mar 12, 2018

(also reviewed offline by @msau42)

@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 3d1331f into kubernetes:master Mar 12, 2018
@liggitt liggitt mentioned this pull request Mar 12, 2018
Closed
@liggitt liggitt deleted the subpath-master branch March 13, 2018 03:34
@jingxu97 jingxu97 mentioned this pull request Mar 19, 2018
Closed
5 tasks
@yamt yamt mentioned this pull request Feb 26, 2019
Merged
@odinuge odinuge mentioned this pull request Jul 1, 2019
Merged
@pacoxu pacoxu mentioned this pull request Feb 5, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fejta fejta Awaiting requested review from fejta

@gnufied gnufied Awaiting requested review from gnufied

@jsafrane jsafrane Awaiting requested review from jsafrane

@krousey krousey Awaiting requested review from krousey

@lavalamp lavalamp Awaiting requested review from lavalamp

@msau42 msau42 Awaiting requested review from msau42

@saad-ali saad-ali Awaiting requested review from saad-ali

@screeley44 screeley44 Awaiting requested review from screeley44

@tmrts tmrts Awaiting requested review from tmrts

@vishh vishh Awaiting requested review from vishh

Assignees

@liggitt liggitt

@smarterclayton smarterclayton

@jsafrane jsafrane

@msau42 msau42

@tallclair tallclair

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/security cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/storage Categorizes an issue or PR as relevant to SIG Storage. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v1.10
Development

Successfully merging this pull request may close these issues.

CVE-2017-1002101 - subpath volume mount handling allows arbitrary file access in host filesystem
7 participants
@liggitt @tallclair @smarterclayton @k8s-ci-robot @k8s-github-robot @jsafrane @msau42