Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Aggregation ClusterRole circular reference bug #69652
For aggregation clusterrole, in some cases, circular dependency could exist between them, which may cause wired behaviours.
Then we create some non-aggregation clusterrole:
All three aggregation clusterroles would look like:
Then we delete clusterrole child1, all three agg-clusterroles would keep unchanged with the rules from child1. However, the aggregation clusterrole is designed to aggregate rules from other clusterrole, I think it should not keep the rules after the child1 being deleted.
The scenario appears to set up a cycle in cluster roles where one role chains to another. Multi-stage chaining is acceptable and even desireable: see usage for admin, edit, and view where coverage is guaranteed this way.
In the scenario described here, a clusterrole is aggregating a clusterrole with permission: X. Because it is a cycle, one of the chains in the cycle has that permission so it ripples through.
There is no security risk here because the rules for aggregation remain the same: aggregate all the roles matching the label selector. In addition, only someone will full RBAC permissions can decide to make an aggregated role and only someone trusted can create new cluster role that can be aggregated.
The current behavior is as expected and is not a security risk.
@deads2k: Closing this issue.
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.