Skip to content

Commit

Permalink
admission controller: deny attaching to a container
Browse files Browse the repository at this point in the history 
For demo purposes, "kubectl attach" shall be denied.
  • Loading branch information
@alban
alban committed Nov 26, 2017
1 parent 5db1551 commit c117bd7
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 1 deletion.
2 changes: 1 addition & 1 deletion cmd/kubeadm/app/phases/controlplane/manifests.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ import (
const (
DefaultCloudConfigPath = "/etc/kubernetes/cloud-config"

defaultv17AdmissionControl = "Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota"
defaultv17AdmissionControl = "Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota,DenyAttach"
)

// CreateInitStaticPodManifestFiles will write all static pod manifest files needed to bring up the control plane.
Expand Down
17 changes: 17 additions & 0 deletions plugin/pkg/admission/exec/admission.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,11 @@ func Register(plugins *admission.Plugins) {
plugins.Register("DenyExecOnPrivileged", func(config io.Reader) (admission.Interface, error) {
return NewDenyExecOnPrivileged(), nil
})

// For demo purposes, reject all "attach" requests on pods
plugins.Register("DenyAttach", func(config io.Reader) (admission.Interface, error) {
return NewDenyAttach(), nil
})
}

// denyExec is an implementation of admission.Interface which says no to a pod/exec on
Expand All @@ -49,6 +54,7 @@ type denyExec struct {
client internalclientset.Interface

// these flags control which items will be checked to deny exec/attach
attach bool
hostIPC bool
hostPID bool
privileged bool
Expand Down Expand Up @@ -79,6 +85,13 @@ func NewDenyExecOnPrivileged() admission.Interface {
}
}

func NewDenyAttach() admission.Interface {
return &denyExec{
Handler: admission.NewHandler(admission.Connect),
attach: true,
}
}

func (d *denyExec) Admit(a admission.Attributes) (err error) {
connectRequest, ok := a.GetObject().(*rest.ConnectRequest)
if !ok {
Expand All @@ -93,6 +106,10 @@ func (d *denyExec) Admit(a admission.Attributes) (err error) {
return admission.NewForbidden(a, err)
}

if connectRequest.ResourcePath == "pods/attach" {
return admission.NewForbidden(a, fmt.Errorf("cannot attach to a container, rejected by admission controller"))
}

if d.hostPID && pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostPID {
return admission.NewForbidden(a, fmt.Errorf("cannot exec into or attach to a container using host pid"))
}
Expand Down

0 comments on commit c117bd7

Please sign in to comment.