kubernetes
/
community
mirror of https://github.com/kubernetes/community.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove FSQuotaForLSCIEnforcement

This commit is contained in:
Robert Krawitz 2018-10-02 18:41:14 -04:00
parent f6407579fd
commit e78892b01c
1 changed files with 5 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
keps/sig-node/0028-20180906-quotas-for-ephemeral-storage.md
View File

@ -259,7 +259,7 @@ exceeded (2^63-1 bytes for XFS, 2^58-1 bytes for ext4fs).
### Control over Use of Quotas ### Control over Use of Quotas
At present, three feature gates control operation of quotas: At present, two feature gates control operation of quotas:
* `LocalStorageCapacityIsolation` must be enabled for any use of * `LocalStorageCapacityIsolation` must be enabled for any use of
quotas. quotas.
@ -269,11 +269,8 @@ At present, three feature gates control operation of quotas:
present, this defaults to False, but the intention is that this will present, this defaults to False, but the intention is that this will
default to True by initial release. default to True by initial release.
* `FSQuotaForLSCIEnforcement` must be enabled, in addition to * _`FSQuotaForLSCIEnforcement` must be enabled, in addition to
`FSQuotaForLSCIMonitoring`, to use quotas for enforcement. This `FSQuotaForLSCIMonitoring`, to use quotas for enforcement._
defaults to False and is expected to remain in that state for
initial release. _A future project to use quotas for enforcing may
change this default to True._
### Operation Flow -- Applying a Quota ### Operation Flow -- Applying a Quota
@ -762,8 +759,8 @@ quota system.
specifically. The demonstration of the vulnerability resulted in specifically. The demonstration of the vulnerability resulted in
incorrect handling of quota data. incorrect handling of quota data.
* *CVE-2012-3417* The good\_client function in rquotad (rquota\_svc.c) * *CVE-2012-3417* The good_client function in rquotad (rquota_svc.c)
in Linux DiskQuota (aka quota) before 3.17 invokes the hosts\_ctl in Linux DiskQuota (aka quota) before 3.17 invokes the hosts_ctl
function the first time without a host name, which might allow function the first time without a host name, which might allow
remote attackers to bypass TCP Wrappers rules in hosts.deny (related remote attackers to bypass TCP Wrappers rules in hosts.deny (related
to rpc.rquotad; remote attackers might be able to bypass TCP to rpc.rquotad; remote attackers might be able to bypass TCP