Adding documentation about Endpoints write access in wake of CVE-2021…

…-25740
kubernetes · Jul 21, 2021 · 5430dc7 · 5430dc7
1 parent 2923e6b
commit 5430dc7
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/content/en/docs/reference/access-authn-authz/rbac.md b/content/en/docs/reference/access-authn-authz/rbac.md
@@ -86,7 +86,7 @@ Because ClusterRoles are cluster-scoped, you can also use them to grant access t
 * cluster-scoped resources (like {{< glossary_tooltip text="nodes" term_id="node" >}})
 * non-resource endpoints (like `/healthz`)
 * namespaced resources (like Pods), across all namespaces
-  
+
   For example: you can use a ClusterRole to allow a particular user to run
   `kubectl get pods --all-namespaces`
 
@@ -363,6 +363,26 @@ rules:
   verbs: ["get", "list", "watch"]
 ```
 
+#### Write Access for Endpoints
+
+Kubernetes clusters created before Kubernetes v1.22 include write access to
+Endpoints in the aggregated "edit" and "admin" roles. As a mitigation for
+[CVE-2021-25740](https://github.com/kubernetes/kubernetes/issues/103675), this
+access is not part of the aggregated roles in clusters that you create using
+Kubernetes v1.22 or later.
+
+Existing clusters that have been upgraded to Kubernetes v1.22 will not be
+subject to this change. The [CVE
+announcement](https://github.com/kubernetes/kubernetes/issues/103675) includes
+guidance for restricting this access in existing clusters.
+
+If you want new clusters to retain this level of access in the aggregated roles,
+you can create the following ClusterRole:
+
+```none
+{{</* codenew file="access/endpoints-aggregated.yaml" */>}}
+```
+
 #### Role examples
 
 The following examples are excerpts from Role or ClusterRole objects, showing only

diff --git a/content/en/examples/access/endpoints-aggregated.yaml b/content/en/examples/access/endpoints-aggregated.yaml
@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    kubernetes.io/description: |-
+      Add endpoints write permissions to the edit and admin roles. This was
+      removed by default in 1.22 because of CVE-2021-25740. See
+      https://issue.k8s.io/103675. This can allow s writers to direct
+      LoadBalancer or Ingress implementations to expose backend IPs that would
+      not otherwise be accessible, and can circumvent network policies or
+      security controls intended to prevent/isolate access to those backends.
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: custom:aggregate-to-edit:endpoints # you can change this if you wish
+rules:
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["create", "delete", "deletecollection", "patch", "update"]