Updated Secure Kubernetes Defaults to include local storage class

Signed-off-by: Olly Pomeroy <olly@docker.com>
docker · Jun 13, 2019 · 2844a35 · 2844a35
1 parent 9e32176
commit 2844a35
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 6 deletions.
diff --git a/ee/ucp/authorization/index.md b/ee/ucp/authorization/index.md
@@ -99,11 +99,13 @@ resources.
 
 ## Secure Kubernetes defaults
 
-For cluster security, only users and service accounts granted the `cluster-admin` ClusterRole for 
-all Kubernetes namespaces via a ClusterRoleBinding can deploy pods with privileged options. This prevents a
-platform user from being able to bypass the Universal Control Plane Security Model.
+For cluster security, only users and service accounts granted the
+`cluster-admin` ClusterRole for all Kubernetes namespaces via a
+ClusterRoleBinding can deploy pods with privileged options. This prevents a
+platform user from being able to bypass the Universal Control Plane Security
+Model. These privileged options include:
 
-These privileged options include: 
+Pods with any of the following defined in the Pod Specification:
 
   - `PodSpec.hostIPC` - Prevents a user from deploying a pod in the host's IPC
     Namespace.
@@ -121,6 +123,17 @@ These privileged options include:
   - `Volume.hostPath` - Prevents a user from mounting a path from the host into
     the container. This could be a file, a directory, or even the Docker Socket.
 
+Persistent Volumes using the following storage classes:
+
+  - `Local` - Prevents a user from creating a persistent volume with the
+    [Local Storage
+    Class](https://kubernetes.io/docs/concepts/storage/volumes/#local). The
+    Local storage class allows a user to mount directorys from the host into a
+    pod. This could be a file, a directory, or even the Docker Socket. 
+
+  > Note: If an Admin has created a persistent volume with the local storage
+  > class, a non-admin could consume this via a persitent volume claim. 
+
 If a user without a cluster admin role tries to deploy a pod with any of these
 privileged options, an error similar to the following example is displayed:
 

diff --git a/ee/ucp/release-notes.md b/ee/ucp/release-notes.md
@@ -197,7 +197,9 @@ upgrade your installation to the latest release.
 
 ### Bug Fixes
  * Fixed system hang following UCP backup and docker daemon shutdown. (docker/escalation#841)
- * Non-admin users can no longer create `PersistentVolumes` that mount host directories. (docker/orca#15936)
+ * Non-admin users can no longer create `PersistentVolumes` using the `Local`
+   Storage Class, as this allowed non-admins to by pass security controls and
+   mount host directories. (docker/orca#15936)
  * Added support for the limit arg in `docker ps`. (docker/orca#15812)
  * Fixed an issue with ucp-proxy health check. (docker/orca#15814, docker/orca#15813, docker/orca#16021, docker/orca#15811)
  * Fixed an issue with manual creation of a **ClusterRoleBinding** or **RoleBinding** for `User` or `Group` subjects requiring the ID of the user, organization, or team. (docker/orca#14935)
@@ -409,7 +411,9 @@ The following features are deprecated in UCP 3.1.
 
 ### Bug fixes
   * Upgrading Interlock now also upgrades interlock proxy and interlock extension. (docker/escalation/871)
-  * Non-admin users can no longer create `PersistentVolumes` that mount host directories. (#15936)
+  * Non-admin users can no longer create `PersistentVolumes` using the `Local`
+    Storage Class, as this allowed non-admins to by pass security controls and
+    mount host directories. (docker/orca#15936)
   * Added support for the limit arg in `docker ps`. (#15812)
 
 ### Known issue