Security Policy Violation: ClusterRole shouldnt use * wildcards in apiGroups, resources, or verbs

[epasham]

In what area(s)?

/area monitoring

Other classifications:
/kind good-first-issue

Describe the feature

knative clusterrole namespaced YAML use * wildcards in apiGroups, resources, or verbs. Wildcards violate least-privilege and grant unintended broad access

Link to the YAMLs ->
https://github.com/knative/serving/blob/main/config/core/200-roles/clusterrole-namespaced.yaml

[knative-prow]

@epasham: The label(s) area/security, area/violation cannot be applied, because the repository doesn't have them.

Details

In response to this:

In what area(s)?

/area security violation

Other classifications:
/kind good-first-issue

Describe the feature

knative clusterrole namespaced YAML use * wildcards in apiGroups, resources, or verbs. Wildcards violate least-privilege and grant unintended broad access

Link to the YAMLs ->
https://github.com/knative/serving/blob/main/config/core/200-roles/clusterrole-namespaced.yaml

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[epasham]

wildcards are replaced with actual resources and verbs in the namespaced cluster role. It is needed to avoid the security violations reported from the policy engine

[epasham]

requesting community member to review the changes at the bellow link and let me know if i can raise a PR

https://github.com/epasham/serving/blob/main/config/core/200-roles/clusterrole-namespaced.yaml

[epasham]

@epasham: The label(s) area/security, area/violation cannot be applied, because the repository doesn't have them.

Details
In response to this:

In what area(s)?

/area security violation
Other classifications:
/kind good-first-issue

Describe the feature

knative clusterrole namespaced YAML use * wildcards in apiGroups, resources, or verbs. Wildcards violate least-privilege and grant unintended broad access
Link to the YAMLs ->
https://github.com/knative/serving/blob/main/config/core/200-roles/clusterrole-namespaced.yaml

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

adjusted the problem area under monitoring. please review

[dprotaso]

It is needed to avoid the security violations reported from the policy engine

What policy engine? I generally don't think it's extreme for our Knative Serving Cluster Role to have wildcards for the Knative Serving resources

[dprotaso]

Closing as dupe of #16599 (comment)