SUSE Support

Here When You Need Us

Unable to edit Endpoints

This document (000021013) is provided subject to the disclaimer at the end of this document.

Environment

Kubernetes Clusters v1.22+

Situation

As mitigation for CVE-2021-25740, Kubernetes removed a default rolebinding which allowed anyone with the built-in admin and edit roles to edit endpoints. This prevents users with the Project Owner or Project Member roles from being able to change Endpoint objects manually.

Resolution

The Kubernetes team provided the following yaml to restore the permissions to the all users with the built-in edit or admin roles:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kubernetes.io/description: |-
      Add endpoints write permissions to the edit and admin roles. This was
      removed by default in 1.22 because of CVE-2021-25740. See
      https://issue.k8s.io/103675. This can allow writers to direct LoadBalancer
      or Ingress implementations to expose backend IPs that would not otherwise
      be accessible, and can circumvent network policies or security controls
      intended to prevent/isolate access to those backends.
      EndpointSlices were never included in the edit or admin roles, so there
      is nothing to restore for the EndpointSlice API.      
  labels:
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: custom:aggregate-to-edit:endpoints # you can change this if you wish
rules:
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
If you only want those with built-in admin role to have the permission restored, the yaml can be edited as follows:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    kubernetes.io/description: |-
      Add endpoints write permissions to the edit and admin roles. This was
      removed by default in 1.22 because of CVE-2021-25740. See
      https://issue.k8s.io/103675. This can allow writers to direct LoadBalancer
      or Ingress implementations to expose backend IPs that would not otherwise
      be accessible, and can circumvent network policies or security controls
      intended to prevent/isolate access to those backends.
      EndpointSlices were never included in the edit or admin roles, so there
      is nothing to restore for the EndpointSlice API.      
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
  name: custom:aggregate-to-admin:endpoints # you can change this if you wish
rules:
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["create", "delete", "deletecollection", "patch", "update"]
The chosen yaml must be applied to the cluster where you want to restore these permissions.

Cause

Project Owners inherit the built-in Kubernetes admin role. Project members inherit the built-in Kubernetes edit role. These roles allow Project Owners and Project Members automatically have the majority of permissions needed on the appropriate namespaces without defining specific roles for each. The Kubernetes built-in roles are defined here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings

Additional Information

For more information, see the Kubernetes documentation about this issue: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#write-access-for-endpoints

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021013
  • Creation Date: 13-Mar-2023
  • Modified Date:30-Mar-2023
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.