Metadata handling / Server-managed fields sanitation during create-via-update and create-via-apply

MEDIUM

kubernetes/kubernetes

Commit: 6fda3b804683

Affected: v1.36.0-beta.0 and earlier (1.36.x prior to this commit)

2026-05-26 19:31 UTC

Description

The commit adds a wipe of object system fields on create-via-update and create-via-apply paths by calling rest.WipeObjectMetaSystemFields(objectMeta) during the Update flow. This hardens input handling by ensuring clients cannot set or contend with server-managed metadata (e.g., managedFields, creationTimestamp, resourceVersion) when performing certain update/patch pathways, aligning behavior with create requests. The change reduces the risk that client-supplied system fields could escape server sanitation and cause inconsistencies or race conditions. This is a defensive security hardening focused on metadata handling during specific update/patch flows; it is not a broad vulnerability in isolation but mitigates a class of metadata-tampering issues.

Commit Details

Author: Joe Betz

Date: 2026-05-08 17:36 UTC

Message:

Enable field wiping on create-via-update and create-via-patch requests

Triage Assessment

Vulnerability Type: Input Validation / Metadata handling

Confidence: MEDIUM

Reasoning:

The change explicitly wipes Kubernetes object system fields on create-via-update and create-via-patch requests to prevent clients from setting or contending with server-controlled fields. This strengthens input handling and prevents potential exploitation via manipulation of metadata (e.g., system fields) during certain update paths, a common security-hardening pattern.

Verification Assessment

Vulnerability Type: Metadata handling / Server-managed fields sanitation during create-via-update and create-via-apply

Confidence: MEDIUM

Affected Versions: v1.36.0-beta.0 and earlier (1.36.x prior to this commit)

Code Diff

diff --git a/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/store.go b/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/store.go
index 587a43dc292db..97247e568af71 100644
--- a/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/store.go
+++ b/staging/src/k8s.io/apiserver/pkg/registry/generic/registry/store.go
@@ -678,6 +678,10 @@ func (e *Store) Update(ctx context.Context, name string, objInfo rest.UpdatedObj
 			if objectMeta, err := meta.Accessor(obj); err != nil {
 				return nil, nil, err
 			} else {
+				// Wipe metadata on create-via-update and create-via-apply
+				// requests to match create behavior. Note that this happens
+				// AFTER preconditions are checked.
+				rest.WipeObjectMetaSystemFields(objectMeta)
 				rest.FillObjectMetaSystemFields(objectMeta)
 			}
 

← Back to Alerts View on GitHub →