Allow more k8s actions in untrusted context
Allow the use of the k8s module in the untrusted execution context, but check the 'src' and other attributes to make sure it isn't trying to load a file from outside the executor work dir. Otherwise, this should be safe since it only operates on external resources. Also, the add_host module can already be used with kubectl, but it does not allow setting the namespace which may be necessary if the credential being used isn't already scoped to the target namespace. Allow the ansible_kubectl_namespace option to be used with add_host. Change-Id: Id4f4dda2f7b743752553718aec69507bbc7a5b12
This commit is contained in:
parent
ca9504b2d7
commit
1d4b3796f7
|
@ -33,6 +33,7 @@ class ActionModule(add_host.ActionModule):
|
|||
'ansible_ssh_pass',
|
||||
'ansible_fqdn',
|
||||
'ansible_private_key_file',
|
||||
'ansible_kubectl_namespace',
|
||||
))
|
||||
args = set(filter(
|
||||
lambda x: x.startswith('ansible_'), self._task.args.keys()))
|
||||
|
|
|
@ -116,3 +116,16 @@ class ActionModule(normal.ActionModule):
|
|||
" Only {allowed_schemes} are allowed".format(
|
||||
scheme=scheme,
|
||||
allowed_schemes=ALLOWED_URL_SCHEMES))
|
||||
|
||||
def handle_k8s(self):
|
||||
'''Allow k8s module on localhost if it doesn't touch unsafe files.
|
||||
|
||||
The :ansible:module:`k8s` can be used from the executor to modify
|
||||
k8s resources. Several options refer to local paths; check that
|
||||
they are constrained to the work dir.
|
||||
'''
|
||||
for arg in ('src', 'ca_cert', 'client_cert',
|
||||
'client_key', 'kubeconfig'):
|
||||
path = self._task.args.get(arg)
|
||||
if path:
|
||||
paths._fail_if_unsafe(path)
|
||||
|
|
Loading…
Reference in New Issue