Remove gitRepo volume type

[vinayakankugoyal]

What would you like to be added?

I'd like to remove gitRepo volume types. It's been deprecated for 6 years now and if a giant foot gun.

In a recent blog a researcher has exploited it to get remote code execution(RCE).

https://irsl.medium.com/sneaky-write-hook-git-clone-to-root-on-k8s-node-e38236205d54

Why is this needed?

To prevent folks from using a deprecated and dangerous volume type.

[k8s-ci-robot]

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[vinayakankugoyal]

/sig-security

[vinayakankugoyal]

/sig security

[vinayakankugoyal]

/sig storage

[SaranBalaji90]

+1. FYI we discussed about removing the gitRepo volume provisioner in the past (for context - https://docs.google.com/document/d/1-8KEG8AjAgKznS9NFm3qWqkGyCHmvU6HVl0sk5hwoAE/edit#heading=h.9ealp5t409p1). As a first step to restrict the use, we could also evaluate adding support in PSA to disallow creation of gitRepo volume for Baseline/Restricted namespaces [1].

[1] - https://kubernetes.io/docs/concepts/security/pod-security-standards/#baseline

[raesene]

I'd definitely agree that this should be removed, or at the very least moved to not be enabled by default. PSS baseline would be good to.

Having a situation where anyone with create pod automatically gets code execution on the underlying node as root is .... not the best.

[niranjandarshann]

We should remove the gitRepo volume provisioner or at least disable it by default. Adding a restriction in the Pod Security Standards baseline would be good too. Letting anyone who can create a pod run code as root on the node is very risky.

[destijl]

+1 for removal, and putting a forbid into PSS baseline (like hostpath is today) while that happens.