ClusterRole rules are too permissive

[jameshearttech]

role.yaml

{{- if .Values.rbac.create }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "kubernetes-event-exporter.fullname" . }}
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["get", "watch", "list"]
{{- end -}}

ClusterRole rules are too permissive! The service account does not need to be able to get, watch, list everything (e.g., secrets). The default should include only what is necessary for the software to function (i.e., events).

If we could configure the rules from the values.yaml that would be awesome.

[Evedel]

Under the hood, the exporter is using "EnhancedEvent". Meaning it is reading and attaching the whole InvolvedObject definition to the event. That is used for when one wants to customise payload. Which is why it needs read access to all objects referenced in events too.

[jpuskar]

Would it be possible to toggle this functionality to allow the exporter to work in more restrictive environments?

[Evedel]

Hey @jpuskar, simply disabling that in the cluster role will break the exporter once an event is created with a custom resource as the object ref. You can try to drop the permissions and see you it is broken in your particular cluster. Actual code feature-toggle technically can be added.