!121 fix CVE-2023-2727 and CVE-2023-2728

From: @zh_xiaoyu Reviewed-by: @duguhaotian Signed-off-by: @duguhaotian
2023-07-04 09:11:19 +00:00 · 2023-07-04 09:11:19 +00:00 · fdfbac74e0
commit fdfbac74e0
parent 6265df3b29 bec493a4d1
3 changed files with 570 additions and 9 deletions
--- a/0007-Validate-etcd-paths.patch
+++ b/0007-Validate-etcd-paths.patch
@ -9,7 +9,7 @@ Subject: [PATCH] Validate etcd paths
 2 files changed, 261 insertions(+), 131 deletions(-)

 diff --git a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go
-index f97bc3833e767..0e2fb36870527 100644
+index 75a6c3b5..2069777c 100644
 --- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go
 +++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store.go
@@ -99,16 +99,21 @@ func New(c *clientv3.Client, codec runtime.Codec, newFunc func() runtime.Object,
@ -340,7 +340,7 @@ index f97bc3833e767..0e2fb36870527 100644
 // On success, objPtr would be set to the object.
 func decode(codec runtime.Codec, versioner storage.Versioner, value []byte, objPtr runtime.Object, rev int64) error {
 diff --git a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store_test.go b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store_test.go
-index 6ace3f68bc85c..811036a7cdfb4 100644
+index fedbcce3..65a73c21 100644
 --- a/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store_test.go
 +++ b/staging/src/k8s.io/apiserver/pkg/storage/etcd3/store_test.go
@@ -64,6 +64,7 @@ var scheme = runtime.NewScheme()
@ -993,7 +993,7 @@ index 6ace3f68bc85c..811036a7cdfb4 100644
 	}
 	for configuredPrefix, effectivePrefix := range testcases {
 		store := newStore(client, codec, nil, configuredPrefix, schema.GroupResource{Resource: "widgets"}, transformer, true, newTestLeaseManagerConfig())
-@@ -2404,7 +2405,7 @@ func TestConsistentList(t *testing.T) {
+@@ -2375,7 +2376,7 @@ func TestConsistentList(t *testing.T) {
 		Predicate: predicate,
 		Recursive: true,
 	}
@ -1002,7 +1002,7 @@ index 6ace3f68bc85c..811036a7cdfb4 100644
 		t.Fatalf("failed to list objects: %v", err)
 	}
 
-@@ -2417,7 +2418,7 @@ func TestConsistentList(t *testing.T) {
+@@ -2388,7 +2389,7 @@ func TestConsistentList(t *testing.T) {
 	}
 
 	result2 := example.PodList{}
@ -1011,7 +1011,7 @@ index 6ace3f68bc85c..811036a7cdfb4 100644
 		t.Fatalf("failed to list objects: %v", err)
 	}
 
-@@ -2427,7 +2428,7 @@ func TestConsistentList(t *testing.T) {
+@@ -2398,7 +2399,7 @@ func TestConsistentList(t *testing.T) {
 	options.ResourceVersionMatch = metav1.ResourceVersionMatchNotOlderThan
 
 	result3 := example.PodList{}
@ -1020,7 +1020,7 @@ index 6ace3f68bc85c..811036a7cdfb4 100644
 		t.Fatalf("failed to list objects: %v", err)
 	}
 
-@@ -2435,7 +2436,7 @@ func TestConsistentList(t *testing.T) {
+@@ -2406,7 +2407,7 @@ func TestConsistentList(t *testing.T) {
 	options.ResourceVersionMatch = metav1.ResourceVersionMatchExact
 
 	result4 := example.PodList{}
@ -1029,7 +1029,7 @@ index 6ace3f68bc85c..811036a7cdfb4 100644
 		t.Fatalf("failed to list objects: %v", err)
 	}
 
-@@ -2496,15 +2497,15 @@ func TestLeaseMaxObjectCount(t *testing.T) {
+@@ -2467,15 +2468,15 @@ func TestLeaseMaxObjectCount(t *testing.T) {
 		expectAttachedCount int64
 	}{
 		{
@ -1048,7 +1048,7 @@ index 6ace3f68bc85c..811036a7cdfb4 100644
 			// We assume each time has 1 object attached to the lease
 			// so after granting a new lease, the recorded count is set to 1
 			expectAttachedCount: 1,
-@@ -2532,3 +2533,81 @@ func expectNoDiff(t *testing.T, msg string, expected, got interface{}) {
+@@ -2503,3 +2504,81 @@ func expectNoDiff(t *testing.T, msg string, expected, got interface{}) {
 		}
 	}
 }
--- a/0009-Add-ephemeralcontainer-to-imagepolicy-securityaccoun.patch
+++ b/0009-Add-ephemeralcontainer-to-imagepolicy-securityaccoun.patch
@ -0,0 +1,554 @@
+From f754a4dee31455a0d7fc0f51cb85348af9ea5e1f Mon Sep 17 00:00:00 2001
+From: Rita Zhang <rita.z.zhang@gmail.com>
+Date: Tue, 30 May 2023 20:35:33 +0000
+Subject: [PATCH] Add ephemeralcontainer to imagepolicy securityaccount
+ admission plugin
+
+Signed-off-by: Rita Zhang <rita.z.zhang@gmail.com>
+---
+ plugin/pkg/admission/imagepolicy/admission.go |  28 ++--
+ .../admission/imagepolicy/admission_test.go   | 148 +++++++++++++++++-
+ .../pkg/admission/serviceaccount/admission.go |  57 ++++++-
+ .../serviceaccount/admission_test.go          |  88 +++++++++++
+ 4 files changed, 297 insertions(+), 24 deletions(-)
+
+diff --git a/plugin/pkg/admission/imagepolicy/admission.go b/plugin/pkg/admission/imagepolicy/admission.go
+index 6fd7f0dfad7..f1f88fef3b0 100644
+--- a/plugin/pkg/admission/imagepolicy/admission.go
+++ b/plugin/pkg/admission/imagepolicy/admission.go
+@@ -46,6 +46,7 @@ import (
+ 
+ // PluginName indicates name of admission plugin.
+ const PluginName = "ImagePolicyWebhook"
+const ephemeralcontainers = "ephemeralcontainers"
+ 
+ // AuditKeyPrefix is used as the prefix for all audit keys handled by this
+ // pluggin. Some well known suffixes are listed below.
+@@ -132,8 +133,9 @@ func (a *Plugin) webhookError(pod *api.Pod, attributes admission.Attributes, err
+ 
+ // Validate makes an admission decision based on the request attributes
+ func (a *Plugin) Validate(ctx context.Context, attributes admission.Attributes, o admission.ObjectInterfaces) (err error) {
+-	// Ignore all calls to subresources or resources other than pods.
+-	if attributes.GetSubresource() != "" || attributes.GetResource().GroupResource() != api.Resource("pods") {
+	// Ignore all calls to subresources other than ephemeralcontainers or calls to resources other than pods.
+	subresource := attributes.GetSubresource()
+	if (subresource != "" && subresource != ephemeralcontainers) || attributes.GetResource().GroupResource() != api.Resource("pods") {
+ 		return nil
+ 	}
+ 
+@@ -144,13 +146,21 @@ func (a *Plugin) Validate(ctx context.Context, attributes admission.Attributes,
+ 
+ 	// Build list of ImageReviewContainerSpec
+ 	var imageReviewContainerSpecs []v1alpha1.ImageReviewContainerSpec
+-	containers := make([]api.Container, 0, len(pod.Spec.Containers)+len(pod.Spec.InitContainers))
+-	containers = append(containers, pod.Spec.Containers...)
+-	containers = append(containers, pod.Spec.InitContainers...)
+-	for _, c := range containers {
+-		imageReviewContainerSpecs = append(imageReviewContainerSpecs, v1alpha1.ImageReviewContainerSpec{
+-			Image: c.Image,
+-		})
+	if subresource == "" {
+		containers := make([]api.Container, 0, len(pod.Spec.Containers)+len(pod.Spec.InitContainers))
+		containers = append(containers, pod.Spec.Containers...)
+		containers = append(containers, pod.Spec.InitContainers...)
+		for _, c := range containers {
+			imageReviewContainerSpecs = append(imageReviewContainerSpecs, v1alpha1.ImageReviewContainerSpec{
+				Image: c.Image,
+			})
+		}
+	} else if subresource == ephemeralcontainers {
+		for _, c := range pod.Spec.EphemeralContainers {
+			imageReviewContainerSpecs = append(imageReviewContainerSpecs, v1alpha1.ImageReviewContainerSpec{
+				Image: c.Image,
+			})
+		}
+ 	}
+ 	imageReview := v1alpha1.ImageReview{
+ 		Spec: v1alpha1.ImageReviewSpec{
+diff --git a/plugin/pkg/admission/imagepolicy/admission_test.go b/plugin/pkg/admission/imagepolicy/admission_test.go
+index d1f81d51950..a9188462fb9 100644
+--- a/plugin/pkg/admission/imagepolicy/admission_test.go
+++ b/plugin/pkg/admission/imagepolicy/admission_test.go
+@@ -37,7 +37,6 @@ import (
+ 	api "k8s.io/kubernetes/pkg/apis/core"
+ 
+ 	"fmt"
+-	"io/ioutil"
+ 	"os"
+ 	"path/filepath"
+ 	"text/template"
+@@ -67,7 +66,7 @@ imagePolicy:
+ `
+ 
+ func TestNewFromConfig(t *testing.T) {
+-	dir, err := ioutil.TempDir("", "")
+	dir, err := os.MkdirTemp("", "")
+ 	if err != nil {
+ 		t.Fatal(err)
+ 	}
+@@ -92,7 +91,7 @@ func TestNewFromConfig(t *testing.T) {
+ 		{data.Key, clientKey},
+ 	}
+ 	for _, file := range files {
+-		if err := ioutil.WriteFile(file.name, file.data, 0400); err != nil {
+		if err := os.WriteFile(file.name, file.data, 0400); err != nil {
+ 			t.Fatal(err)
+ 		}
+ 	}
+@@ -196,7 +195,7 @@ current-context: default
+ 		// Use a closure so defer statements trigger between loop iterations.
+ 		t.Run(tt.msg, func(t *testing.T) {
+ 			err := func() error {
+-				tempfile, err := ioutil.TempFile("", "")
+				tempfile, err := os.CreateTemp("", "")
+ 				if err != nil {
+ 					return err
+ 				}
+@@ -211,7 +210,7 @@ current-context: default
+ 					return fmt.Errorf("failed to execute test template: %v", err)
+ 				}
+ 
+-				tempconfigfile, err := ioutil.TempFile("", "")
+				tempconfigfile, err := os.CreateTemp("", "")
+ 				if err != nil {
+ 					return err
+ 				}
+@@ -359,7 +358,7 @@ func (m *mockService) HTTPStatusCode() int { return m.statusCode }
+ // newImagePolicyWebhook creates a temporary kubeconfig file from the provided arguments and attempts to load
+ // a new newImagePolicyWebhook from it.
+ func newImagePolicyWebhook(callbackURL string, clientCert, clientKey, ca []byte, cacheTime time.Duration, defaultAllow bool) (*Plugin, error) {
+-	tempfile, err := ioutil.TempFile("", "")
+	tempfile, err := os.CreateTemp("", "")
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -381,7 +380,7 @@ func newImagePolicyWebhook(callbackURL string, clientCert, clientKey, ca []byte,
+ 		return nil, err
+ 	}
+ 
+-	tempconfigfile, err := ioutil.TempFile("", "")
+	tempconfigfile, err := os.CreateTemp("", "")
+ 	if err != nil {
+ 		return nil, err
+ 	}
+@@ -595,17 +594,23 @@ func TestContainerCombinations(t *testing.T) {
+ 		test                 string
+ 		pod                  *api.Pod
+ 		wantAllowed, wantErr bool
+		subresource          string
+		operation            admission.Operation
+ 	}{
+ 		{
+ 			test:        "Single container allowed",
+ 			pod:         goodPod("good"),
+ 			wantAllowed: true,
+			subresource: "",
+			operation:   admission.Create,
+ 		},
+ 		{
+ 			test:        "Single container denied",
+ 			pod:         goodPod("bad"),
+ 			wantAllowed: false,
+ 			wantErr:     true,
+			subresource: "",
+			operation:   admission.Create,
+ 		},
+ 		{
+ 			test: "One good container, one bad",
+@@ -627,6 +632,8 @@ func TestContainerCombinations(t *testing.T) {
+ 			},
+ 			wantAllowed: false,
+ 			wantErr:     true,
+			subresource: "",
+			operation:   admission.Create,
+ 		},
+ 		{
+ 			test: "Multiple good containers",
+@@ -648,6 +655,8 @@ func TestContainerCombinations(t *testing.T) {
+ 			},
+ 			wantAllowed: true,
+ 			wantErr:     false,
+			subresource: "",
+			operation:   admission.Create,
+ 		},
+ 		{
+ 			test: "Multiple bad containers",
+@@ -669,6 +678,8 @@ func TestContainerCombinations(t *testing.T) {
+ 			},
+ 			wantAllowed: false,
+ 			wantErr:     true,
+			subresource: "",
+			operation:   admission.Create,
+ 		},
+ 		{
+ 			test: "Good container, bad init container",
+@@ -692,6 +703,8 @@ func TestContainerCombinations(t *testing.T) {
+ 			},
+ 			wantAllowed: false,
+ 			wantErr:     true,
+			subresource: "",
+			operation:   admission.Create,
+ 		},
+ 		{
+ 			test: "Bad container, good init container",
+@@ -715,6 +728,8 @@ func TestContainerCombinations(t *testing.T) {
+ 			},
+ 			wantAllowed: false,
+ 			wantErr:     true,
+			subresource: "",
+			operation:   admission.Create,
+ 		},
+ 		{
+ 			test: "Good container, good init container",
+@@ -738,6 +753,123 @@ func TestContainerCombinations(t *testing.T) {
+ 			},
+ 			wantAllowed: true,
+ 			wantErr:     false,
+			subresource: "",
+			operation:   admission.Create,
+		},
+		{
+			test: "Good container, good init container, bad ephemeral container when updating ephemeralcontainers subresource",
+			pod: &api.Pod{
+				Spec: api.PodSpec{
+					ServiceAccountName: "default",
+					SecurityContext:    &api.PodSecurityContext{},
+					Containers: []api.Container{
+						{
+							Image:           "good",
+							SecurityContext: &api.SecurityContext{},
+						},
+					},
+					InitContainers: []api.Container{
+						{
+							Image:           "good",
+							SecurityContext: &api.SecurityContext{},
+						},
+					},
+					EphemeralContainers: []api.EphemeralContainer{
+						{
+							EphemeralContainerCommon: api.EphemeralContainerCommon{
+								Image:           "bad",
+								SecurityContext: &api.SecurityContext{},
+							},
+						},
+					},
+				},
+			},
+			wantAllowed: false,
+			wantErr:     true,
+			subresource: "ephemeralcontainers",
+			operation:   admission.Update,
+		},
+		{
+			test: "Good container, good init container, bad ephemeral container when updating subresource=='' which sets initContainer and container only",
+			pod: &api.Pod{
+				Spec: api.PodSpec{
+					ServiceAccountName: "default",
+					SecurityContext:    &api.PodSecurityContext{},
+					Containers: []api.Container{
+						{
+							Image:           "good",
+							SecurityContext: &api.SecurityContext{},
+						},
+					},
+					InitContainers: []api.Container{
+						{
+							Image:           "good",
+							SecurityContext: &api.SecurityContext{},
+						},
+					},
+					EphemeralContainers: []api.EphemeralContainer{
+						{
+							EphemeralContainerCommon: api.EphemeralContainerCommon{
+								Image:           "bad",
+								SecurityContext: &api.SecurityContext{},
+							},
+						},
+					},
+				},
+			},
+			wantAllowed: true,
+			wantErr:     false,
+			subresource: "",
+			operation:   admission.Update,
+		},
+
+		{
+			test: "Bad container, good ephemeral container when updating subresource=='ephemeralcontainers' which sets ephemeralcontainers only",
+			pod: &api.Pod{
+				Spec: api.PodSpec{
+					ServiceAccountName: "default",
+					SecurityContext:    &api.PodSecurityContext{},
+					Containers: []api.Container{
+						{
+							Image:           "bad",
+							SecurityContext: &api.SecurityContext{},
+						},
+					},
+					EphemeralContainers: []api.EphemeralContainer{
+						{
+							EphemeralContainerCommon: api.EphemeralContainerCommon{
+								Image:           "good",
+								SecurityContext: &api.SecurityContext{},
+							},
+						},
+					},
+				},
+			},
+			wantAllowed: true,
+			wantErr:     false,
+			subresource: "ephemeralcontainers",
+			operation:   admission.Update,
+		},
+		{
+			test: "Good ephemeral container",
+			pod: &api.Pod{
+				Spec: api.PodSpec{
+					ServiceAccountName: "default",
+					SecurityContext:    &api.PodSecurityContext{},
+					EphemeralContainers: []api.EphemeralContainer{
+						{
+							EphemeralContainerCommon: api.EphemeralContainerCommon{
+								Image:           "good",
+								SecurityContext: &api.SecurityContext{},
+							},
+						},
+					},
+				},
+			},
+			wantAllowed: true,
+			wantErr:     false,
+			subresource: "ephemeralcontainers",
+			operation:   admission.Update,
+ 		},
+ 	}
+ 	for _, tt := range tests {
+@@ -759,7 +891,7 @@ func TestContainerCombinations(t *testing.T) {
+ 				return
+ 			}
+ 
+-			attr := admission.NewAttributesRecord(tt.pod, nil, api.Kind("Pod").WithVersion("version"), "namespace", "", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, &user.DefaultInfo{})
+			attr := admission.NewAttributesRecord(tt.pod, nil, api.Kind("Pod").WithVersion("version"), "namespace", "", api.Resource("pods").WithVersion("version"), tt.subresource, tt.operation, &metav1.CreateOptions{}, false, &user.DefaultInfo{})
+ 
+ 			err = wh.Validate(context.TODO(), attr, nil)
+ 			if tt.wantAllowed {
+diff --git a/plugin/pkg/admission/serviceaccount/admission.go b/plugin/pkg/admission/serviceaccount/admission.go
+index 035d54ea8ea..f6e25f3c19d 100644
+--- a/plugin/pkg/admission/serviceaccount/admission.go
+++ b/plugin/pkg/admission/serviceaccount/admission.go
+@@ -100,7 +100,7 @@ var _ = genericadmissioninitializer.WantsExternalKubeInformerFactory(&Plugin{})
+ // 5. If MountServiceAccountToken is true, it adds a VolumeMount with the pod's ServiceAccount's api token secret to containers
+ func NewServiceAccount() *Plugin {
+ 	return &Plugin{
+-		Handler: admission.NewHandler(admission.Create),
+		Handler: admission.NewHandler(admission.Create, admission.Update),
+ 		// TODO: enable this once we've swept secret usage to account for adding secret references to service accounts
+ 		LimitSecretReferences: false,
+ 		// Auto mount service account API token secrets
+@@ -140,7 +140,10 @@ func (s *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.
+ 	if shouldIgnore(a) {
+ 		return nil
+ 	}
+-
+	if a.GetOperation() != admission.Create {
+		// we only mutate pods during create requests
+		return nil
+	}
+ 	pod := a.GetObject().(*api.Pod)
+ 
+ 	// Don't modify the spec of mirror pods.
+@@ -157,7 +160,7 @@ func (s *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.
+ 
+ 	serviceAccount, err := s.getServiceAccount(a.GetNamespace(), pod.Spec.ServiceAccountName)
+ 	if err != nil {
+-		return admission.NewForbidden(a, fmt.Errorf("error looking up service account %s/%s: %v", a.GetNamespace(), pod.Spec.ServiceAccountName, err))
+		return admission.NewForbidden(a, fmt.Errorf("error looking up service account %s/%s: %w", a.GetNamespace(), pod.Spec.ServiceAccountName, err))
+ 	}
+ 	if s.MountServiceAccountToken && shouldAutomount(serviceAccount, pod) {
+ 		s.mountServiceAccountToken(serviceAccount, pod)
+@@ -180,6 +183,15 @@ func (s *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
+ 
+ 	pod := a.GetObject().(*api.Pod)
+ 
+	if a.GetOperation() == admission.Update && a.GetSubresource() == "ephemeralcontainers" {
+		return s.limitEphemeralContainerSecretReferences(pod, a)
+	}
+
+	if a.GetOperation() != admission.Create {
+		// we only validate pod specs during create requests
+		return nil
+	}
+
+ 	// Mirror pods have restrictions on what they can reference
+ 	if _, isMirrorPod := pod.Annotations[api.MirrorPodAnnotationKey]; isMirrorPod {
+ 		if len(pod.Spec.ServiceAccountName) != 0 {
+@@ -205,6 +217,10 @@ func (s *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
+ 		return nil
+ 	}
+ 
+	// Require container pods to have service accounts
+	if len(pod.Spec.ServiceAccountName) == 0 {
+		return admission.NewForbidden(a, fmt.Errorf("no service account specified for pod %s/%s", a.GetNamespace(), pod.Name))
+	}
+ 	// Ensure the referenced service account exists
+ 	serviceAccount, err := s.getServiceAccount(a.GetNamespace(), pod.Spec.ServiceAccountName)
+ 	if err != nil {
+@@ -221,10 +237,7 @@ func (s *Plugin) Validate(ctx context.Context, a admission.Attributes, o admissi
+ }
+ 
+ func shouldIgnore(a admission.Attributes) bool {
+-	if a.GetResource().GroupResource() != api.Resource("pods") {
+-		return true
+-	}
+-	if a.GetSubresource() != "" {
+	if a.GetResource().GroupResource() != api.Resource("pods") || (a.GetSubresource() != "" && a.GetSubresource() != "ephemeralcontainers") {
+ 		return true
+ 	}
+ 	obj := a.GetObject()
+@@ -350,6 +363,36 @@ func (s *Plugin) limitSecretReferences(serviceAccount *corev1.ServiceAccount, po
+ 	return nil
+ }
+ 
+func (s *Plugin) limitEphemeralContainerSecretReferences(pod *api.Pod, a admission.Attributes) error {
+	// Require ephemeral container pods to have service accounts
+	if len(pod.Spec.ServiceAccountName) == 0 {
+		return admission.NewForbidden(a, fmt.Errorf("no service account specified for pod %s/%s", a.GetNamespace(), pod.Name))
+	}
+	// Ensure the referenced service account exists
+	serviceAccount, err := s.getServiceAccount(a.GetNamespace(), pod.Spec.ServiceAccountName)
+	if err != nil {
+		return admission.NewForbidden(a, fmt.Errorf("error looking up service account %s/%s: %w", a.GetNamespace(), pod.Spec.ServiceAccountName, err))
+	}
+	if !s.enforceMountableSecrets(serviceAccount) {
+		return nil
+	}
+	// Ensure all secrets the ephemeral containers reference are allowed by the service account
+	mountableSecrets := sets.NewString()
+	for _, s := range serviceAccount.Secrets {
+		mountableSecrets.Insert(s.Name)
+	}
+	for _, container := range pod.Spec.EphemeralContainers {
+		for _, env := range container.Env {
+			if env.ValueFrom != nil && env.ValueFrom.SecretKeyRef != nil {
+				if !mountableSecrets.Has(env.ValueFrom.SecretKeyRef.Name) {
+					return fmt.Errorf("ephemeral container %s with envVar %s referencing secret.secretName=\"%s\" is not allowed because service account %s does not reference that secret", container.Name, env.Name, env.ValueFrom.SecretKeyRef.Name, serviceAccount.Name)
+				}
+			}
+		}
+	}
+	return nil
+}
+
+ func (s *Plugin) mountServiceAccountToken(serviceAccount *corev1.ServiceAccount, pod *api.Pod) {
+ 	// Find the volume and volume name for the ServiceAccountTokenSecret if it already exists
+ 	tokenVolumeName := ""
+diff --git a/plugin/pkg/admission/serviceaccount/admission_test.go b/plugin/pkg/admission/serviceaccount/admission_test.go
+index ca43abf9c3f..f5359253985 100644
+--- a/plugin/pkg/admission/serviceaccount/admission_test.go
+++ b/plugin/pkg/admission/serviceaccount/admission_test.go
+@@ -545,6 +545,34 @@ func TestAllowsReferencedSecret(t *testing.T) {
+ 	if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
+ 		t.Errorf("Unexpected error: %v", err)
+ 	}
+
+	pod2 = &api.Pod{
+		Spec: api.PodSpec{
+			ServiceAccountName: DefaultServiceAccountName,
+			EphemeralContainers: []api.EphemeralContainer{
+				{
+					EphemeralContainerCommon: api.EphemeralContainerCommon{
+						Name: "container-2",
+						Env: []api.EnvVar{
+							{
+								Name: "env-1",
+								ValueFrom: &api.EnvVarSource{
+									SecretKeyRef: &api.SecretKeySelector{
+										LocalObjectReference: api.LocalObjectReference{Name: "foo"},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	// validate enforces restrictions on secret mounts when operation==create and subresource=='' or operation==update and subresource==ephemeralcontainers"
+	attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil)
+	if err := admit.Validate(context.TODO(), attrs, nil); err != nil {
+		t.Errorf("Unexpected error: %v", err)
+	}
+ }
+ 
+ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
+@@ -622,6 +650,66 @@ func TestRejectsUnreferencedSecretVolumes(t *testing.T) {
+ 	if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") {
+ 		t.Errorf("Unexpected error: %v", err)
+ 	}
+
+	pod2 = &api.Pod{
+		Spec: api.PodSpec{
+			ServiceAccountName: DefaultServiceAccountName,
+			InitContainers: []api.Container{
+				{
+					Name: "container-1",
+					Env: []api.EnvVar{
+						{
+							Name: "env-1",
+							ValueFrom: &api.EnvVarSource{
+								SecretKeyRef: &api.SecretKeySelector{
+									LocalObjectReference: api.LocalObjectReference{Name: "foo"},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Update, &metav1.UpdateOptions{}, false, nil)
+	if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
+		t.Errorf("admit only enforces restrictions on secret mounts when operation==create. Unexpected error: %v", err)
+	}
+	attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, &metav1.CreateOptions{}, false, nil)
+	if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") {
+		t.Errorf("validate only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err)
+	}
+
+	pod2 = &api.Pod{
+		Spec: api.PodSpec{
+			ServiceAccountName: DefaultServiceAccountName,
+			EphemeralContainers: []api.EphemeralContainer{
+				{
+					EphemeralContainerCommon: api.EphemeralContainerCommon{
+						Name: "container-2",
+						Env: []api.EnvVar{
+							{
+								Name: "env-1",
+								ValueFrom: &api.EnvVarSource{
+									SecretKeyRef: &api.SecretKeySelector{
+										LocalObjectReference: api.LocalObjectReference{Name: "foo"},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+	attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "", admission.Update, &metav1.UpdateOptions{}, false, nil)
+	if err := admissiontesting.WithReinvocationTesting(t, admit).Admit(context.TODO(), attrs, nil); err != nil {
+		t.Errorf("admit only enforces restrictions on secret mounts when operation==create and subresource==''. Unexpected error: %v", err)
+	}
+	attrs = admission.NewAttributesRecord(pod2, nil, api.Kind("Pod").WithVersion("version"), ns, "myname", api.Resource("pods").WithVersion("version"), "ephemeralcontainers", admission.Update, &metav1.UpdateOptions{}, false, nil)
+	if err := admit.Validate(context.TODO(), attrs, nil); err == nil || !strings.Contains(err.Error(), "with envVar") {
+		t.Errorf("validate enforces restrictions on secret mounts when operation==update and subresource==ephemeralcontainers. Unexpected error: %v", err)
+	}
+ }
+ 
+ func TestAllowUnreferencedSecretVolumesForPermissiveSAs(t *testing.T) {
+-- 
+2.25.1
+
--- a/kubernetes.spec
+++ b/kubernetes.spec
@ -3,7 +3,7 @@

 Name:         kubernetes
 Version:      1.24.0
-Release:      4
+Release:      5
 Summary:      Container cluster management
 License:      ASL 2.0
 URL:          https://k8s.io/kubernetes
@ -32,6 +32,7 @@ Patch0005: 0005-Escape-terminal-special-characters-in-kubectl-112553.patch
 Patch0006: 0006-Return-error-for-localhost-seccomp-type-with-no-loca.patch
 Patch0007: 0007-Validate-etcd-paths.patch
 Patch0008: 0008-fix-node-address-validation.patch
+Patch0009: 0009-Add-ephemeralcontainer-to-imagepolicy-securityaccoun.patch

 %description
 Container cluster management.
@ -263,6 +264,12 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \
 %systemd_postun kubelet kube-proxy

 %changelog
+* Tue Jul 04 2023 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 1.24.0-5
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix CVE-2023-2727 and CVE-2023-2728
+
 * Tue Jul 04 2023 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 1.24.0-4
 - Type:bugfix
 - CVE:NA