Adding documentation about Endpoints write access in wake of CVE-2021…

…-25740
kubernetes · Jul 20, 2021 · d690ad6 · d690ad6
1 parent 2923e6b
commit d690ad6
Showing 1 changed file with 33 additions and 1 deletion.
diff --git a/content/en/docs/reference/access-authn-authz/rbac.md b/content/en/docs/reference/access-authn-authz/rbac.md
@@ -86,7 +86,7 @@ Because ClusterRoles are cluster-scoped, you can also use them to grant access t
 * cluster-scoped resources (like {{< glossary_tooltip text="nodes" term_id="node" >}})
 * non-resource endpoints (like `/healthz`)
 * namespaced resources (like Pods), across all namespaces
-  
+
   For example: you can use a ClusterRole to allow a particular user to run
   `kubectl get pods --all-namespaces`
 
@@ -363,6 +363,38 @@ rules:
   verbs: ["get", "list", "watch"]
 ```
 
+#### Write Access for Endpoints
+
+Kubernetes clusters created before Kubernetes 1.22 include write access to
+Endpoints in the aggregated "edit" and "admin" roles. As a mitigation for
+[CVE-2021-25740](https://github.com/kubernetes/kubernetes/issues/103675), this
+access will not be part of the aggregated roles in newly created clusters using
+Kubernetes 1.22+.
+
+If you want new clusters to retain this level of access in the aggregated roles,
+you can create the following ClusterRole:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    kubernetes.io/description: |-
+      Add endpoints write permissions to the edit and admin roles. This was
+      removed by default in 1.22 because of CVE-2021-25740. See
+      http://issue.k8s.io/103675. This can allow endpoint writers to direct
+      LoadBalancer or Ingress implementations to expose backend IPs that would
+      not otherwise be accessible, and can circumvent network policies or
+      security controls intended to prevent/isolate access to those backends.
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: custom:aggregate-to-edit:endpoints
+rules:
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["create", "delete", "deletecollection", "patch", "update"]
+```
+
 #### Role examples
 
 The following examples are excerpts from Role or ClusterRole objects, showing only