-
Notifications
You must be signed in to change notification settings - Fork 243
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit RBAC, avoid global (*) permissions #2866
Audit RBAC, avoid global (*) permissions #2866
Conversation
@@ -54,7 +54,12 @@ func getClusterPolicyRules() []rbacv1.PolicyRule { | |||
"clusterroles", | |||
}, | |||
Verbs: []string{ | |||
"*", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mhenriks Apparently we have been using escalate
for a while, which means the operator
can create clusterroles with more rights than it has
https://kubernetes.io/docs/concepts/security/rbac-good-practices/#escalate-verb
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yikes!
376f0f0
to
1971de3
Compare
/test pull-containerized-data-importer-e2e-hpp-latest |
1971de3
to
5441d2c
Compare
/test all |
There are some permissions which are logically not needed, and some others where we can just reduce the verb set allowed. Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
https://kubernetes.io/docs/concepts/security/rbac-good-practices/#persistent-volume-creation Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
Following https://kubernetes.io/docs/concepts/security/rbac-good-practices/#control-admission-webhooks We know the names of our validating/mutating webhooks upfront, so we can only allow update/delete on those. Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
https://kubernetes.io/docs/concepts/security/rbac-good-practices/#escalate-verb Signed-off-by: Alex Kalenyuk <akalenyu@redhat.com>
5441d2c
to
9054204
Compare
/cc @mhenriks |
}, | ||
Resources: []string{ | ||
"customresourcedefinitions", | ||
"customresourcedefinitions/status", | ||
"*", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:
why * shouldn't it be just CDI?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All CDI resources (datavolumes/datasources/..)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as i know the operator doesn't create,update or delete datavolumes/datasources/..
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quick example
containerized-data-importer/pkg/operator/controller/callbacks.go
Lines 221 to 222 in f88fab6
cl := &cdiv1.CDIConfigList{} | |
err := args.Client.List(context.TODO(), cl) |
And we should also have uninstall logic that deletes the remaining resources
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh sorry i missed that 👍
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mhenriks The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cherrypick release-v1.57 |
@awels: new pull request created: #2886 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
There are some permissions that are logically not needed, and some others where we can just reduce the verb set.
Trying to follow https://kubernetes.io/docs/concepts/security/rbac-good-practices/
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
https://bugzilla.redhat.com/show_bug.cgi?id=2183659
Special notes for your reviewer:
Release note: