Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

AllowPrivilegeEscalation aka no_new_privs #381

Closed
jessfraz opened this issue Aug 1, 2017 · 15 comments
Closed

AllowPrivilegeEscalation aka no_new_privs #381

jessfraz opened this issue Aug 1, 2017 · 15 comments
Assignees
@jessfraz
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Milestone
v1.8

Comments

@jessfraz
Copy link

jessfraz commented Aug 1, 2017
edited
Loading

Feature Description

  • One-line feature description (can be used as a release note): AllowPrivilegeEscalation when false will ensure execve promises not to grant more privileges that the parent process.
  • Primary contact (assignee): @jessfraz
  • Responsible SIGs: sig-auth?
  • Design proposal link (community repo): https://github.com/kubernetes/community/pull/639/files
  • Reviewer(s) - (for LGTM) recommend having 2+ reviewers (at least one from code-area OWNERS file) agreed to review. Reviewers from multiple companies preferred: @smarterclayton @timstclair
  • Approver (likely from SIG/area to which feature belongs): @smarterclayton
  • Feature target (which target equals to which milestone): 1.8
    • Alpha release target (x.y)
    • Beta release target (x.y)
    • Stable release target (x.y): 1.8
@jdumars
Copy link
Member

jdumars commented Aug 2, 2017

/sig auth

@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Aug 2, 2017
@idvoretskyi
Copy link
Member

@jessfraz can you define the feature roadmap more precisely (under the "Feature target" section)?
Which release equals which stage?

Thanks.

@jessfraz
Copy link
Author

jessfraz commented Aug 3, 2017

Updated, since it was added to securityContext which is stable it will be stable

@idvoretskyi
Copy link
Member

@jessfraz thank you!

@idvoretskyi idvoretskyi added the stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status label Aug 3, 2017
@idvoretskyi idvoretskyi added this to the 1.8 milestone Aug 3, 2017
@tallclair
Copy link
Member

since it was added to securityContext which is stable it will be stable

Not necessarily, we can add alpha fields to stable APIs now: kubernetes/community#869

Not saying it needs to be alpha, but it should be stable based on merits other than the parent API.

@jessfraz
Copy link
Author

jessfraz commented Aug 3, 2017 via email

@tallclair
Copy link
Member

Since the default doesn't change anything (IIRC) and this is a relatively small feature, I'm comfortable going straight to stable. I think the main thing to pay attention to is that that requires more thorough testing and documentation.

@jessfraz
Copy link
Author

jessfraz commented Aug 3, 2017 via email

@grodrigues3
Copy link
Contributor

I think the main thing to pay attention to is that that requires more thorough testing and documentation.

Are there PRs out with e2e/unit tests? Docs link?

@jessfraz
Copy link
Author

jessfraz commented Sep 13, 2017 via email

@grodrigues3
Copy link
Contributor

Can you reference this issue/feature in that PR for trace-ability?

@jessfraz
Copy link
Author

jessfraz commented Sep 13, 2017 via email

@jessfraz jessfraz mentioned this issue Sep 14, 2017
Merged
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 5, 2018
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 9, 2018
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

justaugustus pushed a commit to justaugustus/enhancements that referenced this issue Sep 3, 2018
@jbeda
Merge pull request kubernetes#381 from jbeda/bootstrap-update
c7a183e 
Update bootstrap design doc with kubeadm UX
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@jessfraz jessfraz

Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Projects
None yet
Milestone
v1.8
Development

No branches or pull requests
7 participants
@idvoretskyi @jdumars @jessfraz @grodrigues3 @k8s-ci-robot @tallclair @fejta-bot