21 lines
960 B
YAML
21 lines
960 B
YAML
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
annotations:
|
|
kubernetes.io/description: |-
|
|
Add endpoints write permissions to the edit and admin roles. This was
|
|
removed by default in 1.22 because of CVE-2021-25740. See
|
|
https://issue.k8s.io/103675. This can allow writers to direct LoadBalancer
|
|
or Ingress implementations to expose backend IPs that would not otherwise
|
|
be accessible, and can circumvent network policies or security controls
|
|
intended to prevent/isolate access to those backends.
|
|
EndpointSlices were never included in the edit or admin roles, so there
|
|
is nothing to restore for the EndpointSlice API.
|
|
labels:
|
|
rbac.authorization.k8s.io/aggregate-to-edit: "true"
|
|
name: custom:aggregate-to-edit:endpoints # you can change this if you wish
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["endpoints"]
|
|
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|