Audit RBAC, avoid global (*) permissions #2866
Conversation
kubevirt-bot
added
release-note
kubevirt-bot
added
the
do-not-merge/work-in-progress
| @@ -54,7 +54,12 @@ func getClusterPolicyRules() []rbacv1.PolicyRule { | |||
| "clusterroles", | |||
| }, | |||
| Verbs: []string{ | |||
| "*", | |||
There was a problem hiding this comment.
@mhenriks Apparently we have been using escalate for a while, which means the operator
can create clusterroles with more rights than it has
https://kubernetes.io/docs/concepts/security/rbac-good-practices/#escalate-verb
akalenyu
force-pushed
the
less-global-permission-rules
branch
from
376f0f0
to
1971de3
Compare
|
/test pull-containerized-data-importer-e2e-hpp-latest |
akalenyu
force-pushed
the
less-global-permission-rules
branch
from
1971de3
to
5441d2c
Compare
|
/test all |
There are some permissions which are logically not needed, and some others where we can just reduce the verb set allowed. Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
https://kubernetes.io/docs/concepts/security/rbac-good-practices/#persistent-volume-creation Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
Following https://kubernetes.io/docs/concepts/security/rbac-good-practices/#control-admission-webhooks We know the names of our validating/mutating webhooks upfront, so we can only allow update/delete on those. Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
https://kubernetes.io/docs/concepts/security/rbac-good-practices/#escalate-verb Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
akalenyu
force-pushed
the
less-global-permission-rules
branch
from
5441d2c
to
9054204
Compare
kubevirt-bot
removed
the
do-not-merge/work-in-progress
|
/cc @mhenriks |
| }, | ||
| Resources: []string{ | ||
| "customresourcedefinitions", | ||
| "customresourcedefinitions/status", | ||
| "*", |
There was a problem hiding this comment.
nit:
why * shouldn't it be just CDI?
There was a problem hiding this comment.
All CDI resources (datavolumes/datasources/..)
There was a problem hiding this comment.
As far as i know the operator doesn't create,update or delete datavolumes/datasources/..
There was a problem hiding this comment.
Quick example
containerized-data-importer/pkg/operator/controller/callbacks.go
Lines 221 to 222 in f88fab6
And we should also have uninstall logic that deletes the remaining resources
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mhenriks The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
|
/cherrypick release-v1.57 |
|
@awels: new pull request created: #2886 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There are some permissions that are logically not needed, and some others where we can just reduce the verb set.
Trying to follow https://kubernetes.io/docs/concepts/security/rbac-good-practices/
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
https://bugzilla.redhat.com/show_bug.cgi?id=2183659
Special notes for your reviewer:
Release note: