From 4258795617f539229ecda2a12ce1600891b5bdf9 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Mon, 15 Nov 2021 09:58:58 +0530 Subject: [PATCH] Default allow_privilege_escalation to False Allows it to be set to None as well, to not set the property. This is a breaking change for hubs where admins were granting sudo rights to users. That already required some extra work, so this would be an additional propety to set for that. The added security benefit from this much more secure default is well worth the breakage IMO. Fixes #544 --- kubespawner/objects.py | 7 ++++--- kubespawner/spawner.py | 9 +++++++-- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/kubespawner/objects.py b/kubespawner/objects.py index 801d04fc..f2b061e0 100644 --- a/kubespawner/objects.py +++ b/kubespawner/objects.py @@ -64,7 +64,7 @@ def make_pod( fs_gid=None, supplemental_gids=None, privileged=False, - allow_privilege_escalation=True, + allow_privilege_escalation=False, container_security_context=None, pod_security_context=None, env=None, @@ -166,6 +166,7 @@ def make_pod( allow_privilege_escalation: Controls whether a process can gain more privileges than its parent process. + Functionally, determines if setuid binaries (like sudo) work. container_security_context: A kubernetes securityContext to apply to the container. @@ -424,8 +425,8 @@ def make_pod( csc["runAsGroup"] = int(gid) if privileged: # false as default csc["privileged"] = True - if not allow_privilege_escalation: # true as default - csc["allowPrivilegeEscalation"] = False + if allow_privilege_escalation is not None: # false as default + csc["allowPrivilegeEscalation"] = allow_privilege_escalation if container_security_context: for key in container_security_context.keys(): if "_" in key: diff --git a/kubespawner/spawner.py b/kubespawner/spawner.py index 00a4d7c7..0cba4d50 100644 --- a/kubespawner/spawner.py +++ b/kubespawner/spawner.py @@ -913,13 +913,18 @@ def _validate_image_pull_secrets(self, proposal): ) allow_privilege_escalation = Bool( - True, + False, + allow_none=True, config=True, help=""" Controls whether a process can gain more privileges than its parent process. + When set to False (the default), the primary user visible effect is that + setuid binaries (like sudo) will no longer work. + + When set to None, the defaults for the cluster are respected. + This bool directly controls whether the no_new_privs flag gets set on the container - process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged OR 2) has CAP_SYS_ADMIN.