-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Update the KEP with clarity around localhost probes #5444
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update the KEP with clarity around localhost probes #5444
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: tssurya The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retitle Update the KEP with clarity around localhost probes |
Signed-off-by: Surya Seetharaman <[email protected]>
762bd99
to
05443f3
Compare
@@ -88,7 +88,8 @@ lead to blind SSRF attacks. | |||
### Goals | |||
|
|||
* Add Pod Security Admission (PSA) to enable admins to restrict | |||
users from creating probes with the `Host` field set. | |||
users from creating probes with the `Host` field set to disallowed | |||
values. The only allowed values will be `127.0.0.1` and `::1`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
127.0.0.1 in a probe means localhost on the node host network.
Isn't that only valid for host network pods? The baseline pod security policy forbids hostNetwork: true
and hostPort: ...
pods, so I'm not sure why we'd allow probes that only work for host network pods.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree with @liggitt based on what was mentioned kubernetes/kubernetes#125271 (comment) I don't think we need to add this update to the enhancement. Original version looks good.
Addresses review comment #4942 (comment) from @BenTheElder and @danwinship . Though I removed deprecation area totally I forgot to mention probes using "localhost" IP will continue to be allowed.
cc @deads2k / @liggitt