Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🐛 Fix API binding privilege escalation #2695

Merged
merged 1 commit into from
Feb 1, 2023
Merged

🐛 Fix API binding privilege escalation #2695

merged 1 commit into from
Feb 1, 2023

Conversation

s-urbaniak
Copy link
Contributor

@s-urbaniak s-urbaniak commented Jan 27, 2023
edited
Loading

Summary

Currently, privilege escalation can be provoked when creating APIBindings
for exported resources.

This fixes it by impersonating virtual API export requests with a
service account that is bound to the requested workspace.

Related issue(s)

Fixes #2239

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 27, 2023
@s-urbaniak s-urbaniak changed the title WIP 🐛 Fix API binding priviledge escalation WIP 🐛 Fix API binding privilege escalation Jan 27, 2023
@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 30, 2023
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 30, 2023
@s-urbaniak s-urbaniak force-pushed the fix-wrong-bind branch 5 times, most recently from 2ae210f to 434ecae Compare January 30, 2023 14:29
@s-urbaniak s-urbaniak changed the title WIP 🐛 Fix API binding privilege escalation 🐛 Fix API binding privilege escalation Jan 30, 2023
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 30, 2023
@s-urbaniak s-urbaniak force-pushed the fix-wrong-bind branch 4 times, most recently from 0fd200c to 01a4b02 Compare February 1, 2023 13:37
@s-urbaniak
Copy link
Contributor Author

/test e2e-sharded

2 similar comments
@s-urbaniak
Copy link
Contributor Author

/test e2e-sharded

@s-urbaniak
Copy link
Contributor Author

/test e2e-sharded

@s-urbaniak
pkg/virtual/apiexport: impersonate requests
7035800 
Currently, privilege escalation can be provoked when creating APIBindings
for exported resources.

This fixes it by impersonating virtual API export requests with a
service account that is bound to the requested workspace.
@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Feb 1, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 1, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ncdc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 1, 2023
@openshift-merge-robot openshift-merge-robot merged commit e79d1e0 into kcp-dev:main Feb 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ncdc ncdc ncdc approved these changes

@davidfestal davidfestal Awaiting requested review from davidfestal

@shawn-hurley shawn-hurley Awaiting requested review from shawn-hurley

Assignees

@ncdc ncdc

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
3 participants
@s-urbaniak @ncdc @openshift-merge-robot