Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ScaleIO - credentials could be accessed by non-admin users #53619

Closed
vladimirvivien opened this issue Oct 9, 2017 · 1 comment · Fixed by #54013
Closed

ScaleIO - credentials could be accessed by non-admin users #53619

vladimirvivien opened this issue Oct 9, 2017 · 1 comment · Fixed by #54013
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/storage Categorizes an issue or PR as relevant to SIG Storage.

Comments

@vladimirvivien
Copy link
Member

vladimirvivien commented Oct 9, 2017
edited

Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug

What happened:
When managing or using volumes with a ScaleIO StorageClass, it is required that the secret object be created in every namespace where the StorageClass will be consumed. This allows authorized non-admin k8s users, who are authorized to see secrets in his/her namespaces, to also have unauthorized access to ScaleIO admin credentials.

What you expected to happen:
I expected RBAC to provide a safe way of restricting access to individual secrets. This does not seem to be the case. There is a need to decouple the ScaleIO admin secret from the user namespaces that consume ScaleIO volumes via PV/PVC/StorageClass.

How to reproduce it (as minimally and precisely as possible):

  • Create a secret object with ScaleIO credentials (a ScaleIO service account)
  • Create a k8s user account responsible for creating SIO volume
  • User decides to use a StorageClass that uses the ScaleIO provisioner
  • Being that the secret needs to be in the same namespace where the PVCs reside, the user will have access to the ScaleIO secret which leaks ScaleIO credentials.
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 9, 2017
@k8s-github-robot k8s-github-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Oct 9, 2017
@vladimirvivien
Copy link
Member Author

/sig storage

@k8s-ci-robot k8s-ci-robot added the sig/storage Categorizes an issue or PR as relevant to SIG Storage. label Oct 9, 2017
@k8s-github-robot k8s-github-robot removed the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Oct 9, 2017
@vladimirvivien vladimirvivien mentioned this issue Oct 9, 2017
Closed
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Oct 10, 2017
This was referenced Oct 11, 2017
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/storage Categorizes an issue or PR as relevant to SIG Storage.
Projects
None yet
Milestone
No milestone
3 participants
@vladimirvivien @k8s-github-robot @k8s-ci-robot