zalando-incubator · arjunrn · Jul 30, 2019 · Jul 26, 2019 · Jul 26, 2019 · Jul 29, 2019
diff --git a/cluster/manifests/01-platformcredentialsset/customresourcedefinition.yaml b/cluster/manifests/01-platformcredentialsset/customresourcedefinition.yaml
@@ -16,6 +16,19 @@ spec:
       - pcs
     categories:
       - all
+  additionalPrinterColumns:
+  - JSONPath: .spec.application
+    description: ID of application registered in application registry
+    name: Application
+    type: string
+  - JSONPath: .status.processingStatus
+    description: Processing status reported by Credentials Provider
+    name: Status
+    type: string
+  - JSONPath: .metadata.creationTimestamp
+    description: Age of the PlatformCredentialsSet
+    name: Age
+    type: date
   validation:
     openAPIV3Schema:
       required:

diff --git a/cluster/manifests/prometheus-node-exporter/daemonset.yaml b/cluster/manifests/prometheus-node-exporter/daemonset.yaml
@@ -32,7 +32,6 @@ spec:
       - image: registry.opensource.zalan.do/teapot/prometheus-node-exporter:v0.18.1
         args:
           - --collector.textfile.directory=/prometheus-exporter-data
-          - --collector.interrupts
           - --collector.processes
         name: prometheus-node-exporter
         ports:

diff --git a/cluster/manifests/roles/poweruser-binding.yaml b/cluster/manifests/roles/poweruser-binding.yaml
@@ -10,3 +10,9 @@ subjects:
 - kind: Group
   name: PowerUser
   apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: Manual
+  apiGroup: rbac.authorization.k8s.io
+- kind: Group
+  name: Emergency
+  apiGroup: rbac.authorization.k8s.io
diff --git a/cluster/node-pools/master-default/userdata.clc.yaml b/cluster/node-pools/master-default/userdata.clc.yaml
@@ -489,7 +489,7 @@ storage:
               - mountPath: /etc/kubernetes/ssl
                 name: ssl-certs-kubernetes
                 readOnly: true
-          - image: registry.opensource.zalan.do/teapot/k8s-authnz-webhook:v0.5.6
+          - image: registry.opensource.zalan.do/teapot/k8s-authnz-webhook:v0.5.7
             name: webhook
             ports:
             - containerPort: 8081

diff --git a/cluster/node-pools/master-ubuntu-default/userdata.yaml b/cluster/node-pools/master-ubuntu-default/userdata.yaml
@@ -226,7 +226,7 @@ write_files:
             - mountPath: /etc/kubernetes/ssl
               name: ssl-certs-kubernetes
               readOnly: true
-        - image: registry.opensource.zalan.do/teapot/k8s-authnz-webhook:v0.5.6
+        - image: registry.opensource.zalan.do/teapot/k8s-authnz-webhook:v0.5.7
           name: webhook
           ports:
           - containerPort: 8081

diff --git a/test/e2e/authorisation_test.go b/test/e2e/authorisation_test.go
@@ -2156,6 +2156,34 @@ var _ = framework.KubeDescribe("Authorization tests", func() {
 				}}`,
 				},
 			},
+			{
+				msg: "cdp service account can't escalate permissions",
+				reqBody: `{
+					"apiVersion": "authorization.k8s.io/v1beta1",
+					"kind": "SubjectAccessReview",
+					"spec": {
+					"resourceAttributes": {
+						"namespace": "",
+						"verb": "escalate",
+						"group": "*",
+						"resource": "clusterroles"
+					},
+					"user": "system:serviceaccount:default:cdp",
+					"group": []
+					}
+				}`,
+				expect: expect{
+					status: http.StatusCreated,
+					body: `{
+					"apiVersion": "authorization.k8s.io/v1beta1",
+					"kind": "SubjectAccessReview",
+					"status": {
+						"denied": true,
+						"reason": "no one is allowed to escalate"
+					}
+				}}`,
+				},
+			},
 			{
 				msg: "operator service account cannot create namespaces",
 				reqBody: `{