Deprecated / obsoleted API groups should still be queried for access checks #100
Labels
bug
Something isn't working
Comments
to my knowledge, PSP was the only resource that originated in one group, moved to another group, AND used a synthetic authorization check like this The old group was not checked for API request authorization, but for authorizing use of the policy. Because those checks had to keep working on existing PSP objects after upgrade without user intervention, the old group continued to be checked as well. (I know that is a bit confusing… the confusing nature of how PSP used authorization was one of the reasons it never graduated to GA and was dropped) |
|
Thanks for the clarification Jordan, that's great news then, and makes this less impactful on who-can as well |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened
It is an upstream Kubernetes policy to keep checking old API groups when checking access, even for API groups that no longer exist. For example, PodSecurityPolicies used to be in
extensions, but were moved topolicyAPI group. Even though there is no trace of PSPs in extensions, having an RBAC forapiGroups=extensions, verbs=usewill allow any PSP to be used.kubernetes/kubernetes#111913 A PSP is wrongly respecting "extensions/podsecuritypolicies/use" for admission
Relevant PSP code:
https://github.com/kubernetes/kubernetes/blob/release-1.24/plugin/pkg/admission/security/podsecuritypolicy/admission.go#L345-L351
kubectl who-can does not show the obscure binding
Expected behavior
kubectl who-can should show all bindings that use deprecated (and perhaps otherwise seemingly removed) API groups.
PS: I am aware PSPs were removed as of k8s 1.25, however this presumably also affects other deprecated and removed/to-be-removed APIs.
The text was updated successfully, but these errors were encountered: