You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In addition to requesting access to resources at the time those requests are made (e.g., "I'm going to create a Pod; can I?"), the K8s API server also supports SubjectAccessReviews, wherein you can ask the API server, "if I wanted to create a Pod, could I?".
A particular case where collecting SARs would be useful is if the OwnerReferencesPermissionEnforcement admission controller is enabled -- which it is in nearly every real-world k8s installation. This admission controller checks that when an object is created with an OwnerReference, the user creating the owned object has delete access to the owned object. It also checks that when the blockOwnerDeletion field is set to true, that the user has update access to the owner object's finalizers subresource. The admission controller determines this access using a SAR.
Policies generated by rbac-audit don't currently take SARs into account, so the necessary delete permission and possibly-necessary update-owner permission aren't added. This led to shipwright-io/build#806, fixed with a manual edit to the RBAC policy.
The text was updated successfully, but these errors were encountered:
WIP branch: https://github.com/imjasonh/rbac-audit/compare/subject-access-reviews
In addition to requesting access to resources at the time those requests are made (e.g., "I'm going to create a Pod; can I?"), the K8s API server also supports
SubjectAccessReviews, wherein you can ask the API server, "if I wanted to create a Pod, could I?".A particular case where collecting SARs would be useful is if the
OwnerReferencesPermissionEnforcementadmission controller is enabled -- which it is in nearly every real-world k8s installation. This admission controller checks that when an object is created with anOwnerReference, the user creating the owned object hasdeleteaccess to the owned object. It also checks that when theblockOwnerDeletionfield is set totrue, that the user hasupdateaccess to the owner object'sfinalizerssubresource. The admission controller determines this access using a SAR.Policies generated by rbac-audit don't currently take SARs into account, so the necessary
deletepermission and possibly-necessaryupdate-owner permission aren't added. This led to shipwright-io/build#806, fixed with a manual edit to the RBAC policy.The text was updated successfully, but these errors were encountered: