ScaleIO - credentials could be accessed by non-admin users #53619
Labels
kind/bug
Categorizes issue or PR as related to a bug.
sig/storage
Categorizes an issue or PR as relevant to SIG Storage.
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug
What happened:
When managing or using volumes with a ScaleIO StorageClass, it is required that the secret object be created in every namespace where the StorageClass will be consumed. This allows authorized non-admin k8s users, who are authorized to see secrets in his/her namespaces, to also have unauthorized access to ScaleIO admin credentials.
What you expected to happen:
I expected RBAC to provide a safe way of restricting access to individual secrets. This does not seem to be the case. There is a need to decouple the ScaleIO admin secret from the user namespaces that consume ScaleIO volumes via PV/PVC/StorageClass.
How to reproduce it (as minimally and precisely as possible):
The text was updated successfully, but these errors were encountered: