Unable to edit Endpoints
This document (000021013) is provided subject to the disclaimer at the end of this document.
Environment
Kubernetes Clusters v1.22+
Situation
As mitigation for CVE-2021-25740, Kubernetes removed a default rolebinding which allowed anyone with the built-in admin and edit roles to edit endpoints. This prevents users with the Project Owner or Project Member roles from being able to change Endpoint objects manually.
Resolution
The Kubernetes team provided the following yaml to restore the permissions to the all users with the built-in edit or admin roles:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
kubernetes.io/description: |-
Add endpoints write permissions to the edit and admin roles. This was
removed by default in 1.22 because of CVE-2021-25740. See
https://issue.k8s.io/103675. This can allow writers to direct LoadBalancer
or Ingress implementations to expose backend IPs that would not otherwise
be accessible, and can circumvent network policies or security controls
intended to prevent/isolate access to those backends.
EndpointSlices were never included in the edit or admin roles, so there
is nothing to restore for the EndpointSlice API.
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: custom:aggregate-to-edit:endpoints # you can change this if you wish
rules:
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
If you only want those with built-in admin role to have the permission restored, the yaml can be edited as follows:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
kubernetes.io/description: |-
Add endpoints write permissions to the edit and admin roles. This was
removed by default in 1.22 because of CVE-2021-25740. See
https://issue.k8s.io/103675. This can allow writers to direct LoadBalancer
or Ingress implementations to expose backend IPs that would not otherwise
be accessible, and can circumvent network policies or security controls
intended to prevent/isolate access to those backends.
EndpointSlices were never included in the edit or admin roles, so there
is nothing to restore for the EndpointSlice API.
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: custom:aggregate-to-admin:endpoints # you can change this if you wish
rules:
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["create", "delete", "deletecollection", "patch", "update"]
The chosen yaml must be applied to the cluster where you want to restore these permissions.
Cause
Project Owners inherit the built-in Kubernetes admin role. Project members inherit the built-in Kubernetes edit role. These roles allow Project Owners and Project Members automatically have the majority of permissions needed on the appropriate namespaces without defining specific roles for each. The Kubernetes built-in roles are defined here: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
Additional Information
For more information, see the Kubernetes documentation about this issue: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#write-access-for-endpoints
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021013
- Creation Date: 13-Mar-2023
- Modified Date:30-Mar-2023
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
