Docker/portainer
Docker/portainer
1
0
Fork 0
mirror of https://github.com/portainer/portainer.git synced 2025-07-21 06:19:41 +02:00
Code Issues Releases Activity

fix(advance deploy): EE-1141 A standard user can escalate to cluster administrator privileges on Kubernetes (#5325)

Browse source 
* fix(advance deploy): EE-1141 A standard user can escalate to cluster administrator privileges on Kubernetes

* fix(advance deploy): EE-1141 reuse existing token cache when do deployment

* fix: EE-1141 use user's SA token to exec pod command

* fix: EE-1141 stop advanced-deploy or pod-exec if user's SA token is empty

* fix: EE-1141 resolve merge conflicts

Co-authored-by: Simon Meng <simon.meng@portainer.io>
This commit is contained in:
cong meng 2021-08-04 11:11:24 +12:00 committed by GitHub
parent 5652bac004
commit 51ef2c2aa9
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 155 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

14
api/http/proxy/factory/kubernetes/token.go
View file

@ -1,10 +1,8 @@
package kubernetes
import (
"io/ioutil"
"sync"
portainer "github.com/portainer/portainer/api"
"io/ioutil"
)
const defaultServiceAccountTokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"
@ -13,7 +11,6 @@ type tokenManager struct {
tokenCache *tokenCache
kubecli portainer.KubeClient
dataStore portainer.DataStore
mutex sync.Mutex
adminToken string
}
@ -25,7 +22,6 @@ func NewTokenManager(kubecli portainer.KubeClient, dataStore portainer.DataStore
tokenCache: cache,
kubecli: kubecli,
dataStore: dataStore,
mutex: sync.Mutex{},
adminToken: "",
}
@ -41,13 +37,13 @@ func NewTokenManager(kubecli portainer.KubeClient, dataStore portainer.DataStore
return tokenManager, nil
}
func (manager *tokenManager) getAdminServiceAccountToken() string {
func (manager *tokenManager) GetAdminServiceAccountToken() string {
return manager.adminToken
}
func (manager *tokenManager) getUserServiceAccountToken(userID int, endpointID portainer.EndpointID) (string, error) {
manager.mutex.Lock()
defer manager.mutex.Unlock()
func (manager *tokenManager) GetUserServiceAccountToken(userID int, endpointID portainer.EndpointID) (string, error) {
manager.tokenCache.mutex.Lock()
defer manager.tokenCache.mutex.Unlock()
token, ok := manager.tokenCache.getToken(userID)
if !ok {