GO-2024-2801: Calico privilege escalation vulnerability in github.com/projectcalico/calico

rbac

package

v1.11.0-cni-plu...-7acfd45 Latest Latest Go to latest Published: Nov 25, 2024 License: Apache-2.0, Apache-2.0 Imports: 17 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/projectcalico/calico

Documentation ¶

Overview ¶

Constants ¶

This section is empty.

Variables ¶

View Source

var AllVerbs = []Verb{
	VerbGet, VerbList, VerbUpdate, VerbCreate, VerbPatch, VerbDelete, VerbWatch,
}

Functions ¶

This section is empty.

Types ¶

type Calculator ¶

type Calculator interface {
	CalculatePermissions(user user.Info, rvs []ResourceVerbs) (Permissions, error)
}

Calculator provides methods to determine RBAC permissions for a user.

func NewCalculator ¶

func NewCalculator(
	resourceLister ResourceLister,
	clusterRoleGetter ClusterRoleGetter,
	clusterRoleBindingLister ClusterRoleBindingLister,
	roleGetter RoleGetter,
	roleBindingLister RoleBindingLister,
	namespaceLister NamespaceLister,
	calicoResourceLister CalicoResourceLister,
	minResourceRefreshInterval time.Duration,
) Calculator

NewCalculator creates a new RBAC Calculator.

type CalicoResourceLister ¶

type CalicoResourceLister interface {
	ListTiers() ([]*v3.Tier, error)
}

CalicoResourceLister interface is used to list the required Calico resource types.

type ClusterRoleBindingLister ¶

type ClusterRoleBindingLister interface {
	ListClusterRoleBindings() ([]*rbacv1.ClusterRoleBinding, error)
}

ClusterRoleBindingLister interface is used to list all ClusterRoleBindings.

type ClusterRoleGetter ¶

type ClusterRoleGetter interface {
	GetClusterRole(name string) (*rbacv1.ClusterRole, error)
}

ClusterRoleGetter interface is used to get a specific ClusterRole.

type Match ¶

type Match struct {
	// A blank namespace indicates a cluster-wide match. This is applicable to namespaced and cluster-scoped resource
	// types.
	//
	// For Namespace queries, the Namespace field will never be wildcarded for the "get" verb, it may be wildcarded or
	// explicit for "watch", and is only ever wildcarded for remaining verbs (e.g. the RBAC calculator never expands down
	// to individual namespaces for "create", "delete" etc.)
	Namespace string `json:"namespace"`

	// Tier will never be wildcarded for Calico tiered policies, i.e. the response will contain explicit
	// match entries for each authorized tier.
	//
	// For Tier queries, the Tier field will never be wildcarded for the "get" verb, it may be wildcarded or explicit for
	// "watch", and is only ever wildcarded for remaining verbs (e.g. the RBAC calculator never expands down to individual
	// tiers for "create", "delete" etc.)
	Tier string `json:"tier"`
}

Match contains details of a set of RBAC authorization matches for given ResourceType/Verb combination. An empty string indicates a wildcard match.

func (Match) String ¶

func (m Match) String() string

type NamespaceLister ¶

type NamespaceLister interface {
	ListNamespaces() ([]*corev1.Namespace, error)
}

NamespaceLister interface is used to list all Namespaces.

type Permissions ¶

type Permissions map[ResourceType]map[Verb][]Match

Permissions contains the calculated set of permissions for a single request. This organizes by resource type and then verb. The set of matches consists of the authorized namespaces and tiers for a particular resource type and verb pairing.

If the match slice is nil or empty then the user is not authorized to perform the action at a namespace level or cluster-wide.

If the user is authorized cluster-wide, the namespace field in the Match entry will be an empty string. This applies to both namespaced and cluster-scoped resource types.

type ResourceLister ¶

type ResourceLister interface {
	ServerPreferredResources() ([]*metav1.APIResourceList, error)
}

ResourceLister interface is used to list registered resource types.

type ResourceType ¶

type ResourceType struct {
	APIGroup string
	Resource string
}

ResourceType encapsulates the APIGroup and Resource. The Resource is the lowercase plural kind used in the RBAC configuration (e.g. pods).

func (ResourceType) MarshalText ¶

func (rt ResourceType) MarshalText() ([]byte, error)

func (ResourceType) String ¶

func (r ResourceType) String() string

func (*ResourceType) UnmarshalText ¶

func (rt *ResourceType) UnmarshalText(b []byte) error

type ResourceVerbs ¶

type ResourceVerbs struct {
	ResourceType ResourceType
	Verbs        []Verb
}

ResourceVerbs encapsulates a resource type with a set of verbs. This is used in the request. The response orders the data slightly differently to handle de-duplication.

type RoleBindingLister ¶

type RoleBindingLister interface {
	ListRoleBindings(namespace string) ([]*rbacv1.RoleBinding, error)
}

RoleBindingLister interface is used to list all RoleBindings in a specific namespace.

type RoleGetter ¶

type RoleGetter interface {
	GetRole(namespace, name string) (*rbacv1.Role, error)
}

RoleGetter interface is used to get a specific Role.

type Verb ¶

type Verb string

Verb is a bit-wise set of available verbs for Kubernetes RBAC. Use Verbs() to convert to a slice of strings.

const (
	VerbGet    Verb = "get"
	VerbList   Verb = "list"
	VerbUpdate Verb = "update"
	VerbCreate Verb = "create"
	VerbPatch  Verb = "patch"
	VerbDelete Verb = "delete"
	VerbWatch  Verb = "watch"
)

Source Files ¶

View all Source files

calculator.go

Directories ¶

Path	Synopsis
mock

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL