DOC: Added the description of the changes in access policies regarding WebSocket-related subresources #1116
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This reverts commit 7c3c48a.
…ngress rules" This reverts commit 33a9a18.
…olute brand.vale.ini file path.
…sdocs#1053) * document that spot interruption and EC2 health events are handled * change link type --------- Co-authored-by: Geoffrey Cline <geoffreyc@outlook.com>
…-command Fix documentation: Remove invalid --approve flag from eksctl create podidentityassociation command
Sort network policy troubleshooting page for further additions. Add 12 known issues.
This reverts commit 8f84d86. For now, the re-conversion is required for the "Edit this page on GitHub" links to work.
…nfig document the automatic configuration of local instance storage
Signed-off-by: Micah Hausler <mhausler@amazon.com>
Update docs with new aws-cni version 1.20.1 Thanks wsilva!
* Clarify control of workloads in Capacity Reservations Updated the document to clarify the control of workload deployment into Capacity Reservations and added details on EC2 Capacity Blocks for ML. * revise ml blocks * revise ml blocks * revise based on feedback * fix typo
Fix missing indentation on alb-ingress.adoc
…ily copy and paste to understand the chapter's content. (awsdocs#1109)
…g WebSocket related subresources
|
This pull request is automatically being deployed by Amplify Hosting (learn more). |
Contributor
|
Hi thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available: NA
Description of changes:
Starting on Kubernetes 1.31, Kubernetes uses the WebSocket protocol instead of SPDY for streaming. Following this transition, the subresources "pods/attach", "pods/exec", "pods/portforward", "pods/proxy" and "nodes/proxy" were accessible through a "GET" with Upgrade header instead of only "CREATE". As a result, this allowed users with read-only access to be able to execute streaming commands, like "exec" and "port-forward", exposing a significant security gap.
In order to prevent this behavior, the only access policies with permissions for the subresources ("pods/attach", "pods/exec", "pods/portforward", "pods/proxy" and "nodes/proxy") are: "AmazonEKSAdminPolicy", "AmazonEKSClusterAdminPolicy" and "AmazonEKSEditPolicy".
Currently, this change is not documented, which can affect the customer experience since the documentation does not reflect the current behavior of EKS clusters setting wrong expectations.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.