Controller RBAC is too permissive #82
Comments
|
@erikgb |
|
Thanks @ymmt2005! Will you create a PR to fix this? Or can I just create one - suggesting just to remove the permissive RBAC? Or will that require other additional changes? |
|
This permission was added in #20 to allow the accurate controller to check |
|
So, the problem was we got an error from the accurate controller when As the parent can be anything, we allowed the accurate controller to The relevant feature is this. We thought it'd be pretty difficult for normal users to identify the error |
Does this make sense? How can a cluster-scoped resource be a parent of a namespace-scoped resource? BTW the example in the docs of this feature is obsolete, as cert-manager now supports secret templates. 😉 https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSecretTemplate |
|
I was wrong. The resource was CephCluster from Rook, which is namespace-scoped. The problem was, although we granted |
I think it should be the user's responsibility to configure RBAC. Even granting (namespace) admin cluster-wide RBAC is questionable IMO. |
|
yes, we can put these as a default/recommended setting in Helm values.yaml. |
I suppose you are addressing the cluster-wide admin permission now? Read access to ALL resources is not a good default IMO. |
Agreed. |
Fix #82. With this change, we stop granting the below permission to the accurate controller. ```yaml - apiGroups: - '*' resources: - '*' verbs: - get - list - watch ``` Also, we make the ClusterRole admin optional. The Helm chart now takes optional ClusterRoles to be granted.
Fix #82. With this change, we stop granting the below permission to the accurate controller. ```yaml - apiGroups: - '*' resources: - '*' verbs: - get - list - watch ``` Also, we make the ClusterRole admin optional. The Helm chart now takes optional ClusterRoles to be granted.
Fix #82. With this change, we stop granting the below permission to the accurate controller. ```yaml - apiGroups: - '*' resources: - '*' verbs: - get - list - watch ``` Also, we make the ClusterRole admin optional. The Helm chart now takes optional ClusterRoles to be granted.
Fix #82. With this change, we stop granting the below permission to the accurate controller. ```yaml - apiGroups: - '*' resources: - '*' verbs: - get - list - watch ``` Also, we make the ClusterRole admin optional. The Helm chart now takes optional ClusterRoles to be granted.
Fix #82. With this change, we stop granting the below permission to the accurate controller. ```yaml - apiGroups: - '*' resources: - '*' verbs: - get - list - watch ``` Also, we make the ClusterRole admin optional. The Helm chart now takes optional ClusterRoles to be granted.
Fix #82. With this change, we stop granting the below permission to the accurate controller. ```yaml - apiGroups: - '*' resources: - '*' verbs: - get - list - watch ``` Also, we make the ClusterRole admin optional. The Helm chart now takes optional ClusterRoles to be granted.
Fix #82. With this change, we stop granting the below permission to the accurate controller. ```yaml - apiGroups: - '*' resources: - '*' verbs: - get - list - watch ``` Also, we make the ClusterRole admin optional. The Helm chart now takes optional ClusterRoles to be granted.
Describe the bug
The cluster role bound to the controller is too permissive by default, and I think this is a bug: https://github.com/cybozu-go/accurate/blob/main/charts/accurate/templates/generated/generated.yaml#L77-L84
If this permissive RBAC is required for the controller to operate, I think why should be documented.
We are evaluating this project as an alternative to HNC and might file a few issues/PRs for minor fixes. I hope there is a maintainer team with some bandwidth and interest in "external" contributions. 😄
The text was updated successfully, but these errors were encountered: