Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Query about minimum permission required by -server-resources cluster role #622

Open
ytizhang opened this issue Nov 14, 2023 · 2 comments
Open

Query about minimum permission required by -server-resources cluster role #622

ytizhang opened this issue Nov 14, 2023 · 2 comments
Assignees
@dgrisonnet
Labels
kind/support Categorizes issue or PR as a support question. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@ytizhang
Copy link

While doing security review of our clusters, we found wildcard permission used in a prometheus-adapter cluster role. This violates the principle of least privilege. The ask is to provide the minimum permission needed by this cluster role (list the specific verbs and resources instead of using wildcard). For now, we can probably try to override it on our side once we have this info. But it'd be good to have this change in the future releases so we always have the updated permission.

Chart version: 3.4.2
App version: v0.10.0
The cluster role with wildcard permission (extracted from the helm chart):

{{- if and .Values.rbac.create (or .Values.rules.default .Values.rules.custom) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  {{- if .Values.customAnnotations }}
  annotations:
  {{- toYaml .Values.customAnnotations | nindent 4 }}
  {{- end }}
  labels:
    {{- include "k8s-prometheus-adapter.labels" . | indent 4 }}
  name: {{ template "k8s-prometheus-adapter.name" . }}-server-resources
rules:
- apiGroups:
  - custom.metrics.k8s.io
  resources: ["*"]
  verbs: ["*"]
{{- end -}}
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Nov 14, 2023
@dgrisonnet
Copy link
Member

/triage accepted
/kind support
/assign

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. kind/support Categorizes issue or PR as a support question. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Nov 16, 2023
@ytizhang
Copy link
Author

Hi @dgrisonnet is there any updates on this? Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dgrisonnet dgrisonnet

Labels
kind/support Categorizes issue or PR as a support question. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ytizhang @k8s-ci-robot @dgrisonnet