From 16a44f3fab275ec91e03a82e98182af40d100148 Mon Sep 17 00:00:00 2001 From: martyav Date: Mon, 26 Aug 2024 07:04:38 -0400 Subject: [PATCH 1/2] [v2.9.1][v2.8.6] Aug 2024 CNI popularity update --- shared-files/_cni-popularity.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/shared-files/_cni-popularity.md b/shared-files/_cni-popularity.md index e3c1d194397..e5aa19e0ef1 100644 --- a/shared-files/_cni-popularity.md +++ b/shared-files/_cni-popularity.md @@ -1,10 +1,10 @@ -The following table summarizes different GitHub metrics to give you an idea of each project's popularity and activity levels. This data was collected in March 2024. +The following table summarizes different GitHub metrics to give you an idea of each project's popularity and activity levels. This data was collected in August 2024. | Provider | Project | Stars | Forks | Contributors | | ---- | ---- | ---- | ---- | ---- | -| Canal | https://github.com/projectcalico/canal | 714 | 100 | 20 | +| Canal | https://github.com/projectcalico/canal | 715 | 100 | 20 | | Flannel | https://github.com/flannel-io/flannel | 8.7k | 2.9k | 235 | -| Calico | https://github.com/projectcalico/calico | 5.8k | 1.3k | 353 | -| Weave | https://github.com/weaveworks/weave/ | 6.6k | 668 | 87 | -| Cilium | https://github.com/cilium/cilium | 19.4k | 2.8k | 775 | +| Calico | https://github.com/projectcalico/calico | 5.8k | 1.3k | 354 | +| Weave | https://github.com/weaveworks/weave/ | 6.6k | 667 | 87 | +| Cilium | https://github.com/cilium/cilium | 19.4k | 2.9k | 796 | From 5608d3a7e995fb590d3322fb84afa2622fa9decf Mon Sep 17 00:00:00 2001 From: Sunil Singh Date: Mon, 26 Aug 2024 11:29:54 -0700 Subject: [PATCH 2/2] Adding note to v2.6 Signed-off-by: Sunil Singh --- .../communicating-with-downstream-user-clusters.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/versioned_docs/version-2.6/reference-guides/rancher-manager-architecture/communicating-with-downstream-user-clusters.md b/versioned_docs/version-2.6/reference-guides/rancher-manager-architecture/communicating-with-downstream-user-clusters.md index d1fd5b1cad1..591bcccdd67 100644 --- a/versioned_docs/version-2.6/reference-guides/rancher-manager-architecture/communicating-with-downstream-user-clusters.md +++ b/versioned_docs/version-2.6/reference-guides/rancher-manager-architecture/communicating-with-downstream-user-clusters.md @@ -82,6 +82,12 @@ You will need to use a context defined in this kubeconfig file to access the clu ## Impersonation +:::caution Known Issue + +Service account impersonation (`--as`) used by lower privileged user accounts to remove privileges is not implemented and is a [feature](https://github.com/rancher/rancher/issues/41988) being tracked. + +::: + Users technically exist only on the upstream cluster. Rancher creates [RoleBindings and ClusterRoleBindings](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding) that refer to Rancher users, even though there is [no actual User resource](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#users-in-kubernetes) on the downstream cluster. When users interact with a downstream cluster through the authentication proxy, there needs to be some entity downstream to serve as the actor for those requests. Rancher creates service accounts to be that entity. Each service account is only granted one permission, which is to **impersonate** the user they belong to. If there was only one service account that could impersonate any user, then it would be possible for a malicious user to corrupt that account and escalate their privileges by impersonating another user. This issue was the basis for a [CVE](https://github.com/rancher/rancher/security/advisories/GHSA-pvxj-25m6-7vqr).