Skip to content

Commit 1df12ac

Browse files
toumorokoshitoumorokoshi
committed
Adding object references security considerations
Clarifying practices around object references that help prevent against privilege escalation.
1 parent 6981161 commit 1df12ac

File tree

1 file changed

+32
-0
lines changed

1 file changed

+32
-0
lines changed

contributors/devel/sig-architecture/api-conventions.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -924,6 +924,38 @@ There are multiple scenarios where a desired resource may not exist. Examples in
924924
Controllers should be authored with the assumption that the referenced resource may not exist, and include
925925
error handling to make the issue clear to the user.
926926

927+
### Validation of fields
928+
929+
Many of the values used in an object reference are used as part of the API path. For example,
930+
the object name is used in the path to identify the object. Unsanitized, these values can be used to
931+
attempt to retrieve other resources, such as by using values with semantic meanings such as `..` or `/`.
932+
933+
Have the controller validate the field before using it as a reference, and emit an event to
934+
tell the user that the validation has failed.
935+
936+
See [Object Names and IDs](https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#dns-subdomain-names)
937+
for more information on legal object names.
938+
939+
### Do not modify the referred object
940+
941+
To minimize potential privilege escalation vectors, do not modify the object that is being referred to.
942+
943+
### Minimize copying or printing values to the referrer object
944+
945+
As the permissions of the controller can differ from the permissions of the author of the object
946+
the controller is managing, it is possible that the author of the object may not have permissions to
947+
view the referred object. As a result, the copying of any values about the referred object to the
948+
referrer object can be considered permissions escalations, enabling a user to read values that they
949+
would not have access to previously.
950+
951+
The same scenario applies to writing information about the referred object to events.
952+
953+
In general, do not write or print information about the referred object to the spec, other objects, or logs.
954+
955+
When it is necessary, consider whether these values would be ones that the
956+
author of the referrer object would have access to via other means (e.g. already required to
957+
correctly populate the object reference).
958+
927959
### Object References Examples
928960

929961
The following sections illustrate recommended schemas for various object references scenarios.

0 commit comments

Comments
 (0)