Skip to content

Commit

Permalink
Merge pull request #3608 from cyclinder/fix_rbac_vulnerability
Browse files Browse the repository at this point in the history 
RBAC: avoiding too high permissions leading to potential CVE risks
  • Loading branch information
@weizhoublue
weizhoublue committed Jun 18, 2024
2 parents 8e99641 + 81a0c48 commit d1dac37
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 85 deletions.
109 changes: 35 additions & 74 deletions charts/spiderpool/templates/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,14 +33,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
Expand Down Expand Up @@ -78,6 +70,15 @@ rules:
- list
- update
- watch
- apiGroups:
- apps.kruise.io
resources:
- clonesets
- statefulsets
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
Expand All @@ -88,6 +89,14 @@ rules:
- list
- update
- watch
- apiGroups:
- cilium.io
resources:
- ciliumpodippools
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
Expand All @@ -96,6 +105,14 @@ rules:
- create
- get
- update
- apiGroups:
- crd.projectcalico.org
resources:
- ippools
verbs:
- get
- list
- watch
- apiGroups:
- k8s.cni.cncf.io
resources:
Expand All @@ -112,16 +129,18 @@ rules:
- kubevirt.io
resources:
- virtualmachineinstances
- virtualmachines
verbs:
- get
- list
- apiGroups:
- kubevirt.io
- networking.k8s.io
resources:
- virtualmachines
- servicecidrs
verbs:
- get
- list
- watch
- apiGroups:
- resource.k8s.io
resources:
Expand All @@ -141,6 +160,10 @@ rules:
- spiderpool.spidernet.io
resources:
- spiderclaimparameters
- spiderendpoints
- spidermultusconfigs
- spiderreservedips
- spidersubnets
verbs:
- create
- delete
Expand All @@ -165,22 +188,12 @@ rules:
- spiderpool.spidernet.io
resources:
- spidercoordinators/status
- spiderippools/status
- spidersubnets/status
verbs:
- get
- patch
- update
- apiGroups:
- spiderpool.spidernet.io
resources:
- spiderendpoints
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- spiderpool.spidernet.io
resources:
Expand All @@ -194,55 +207,3 @@ rules:
- patch
- update
- watch
- apiGroups:
- spiderpool.spidernet.io
resources:
- spiderippools/status
verbs:
- get
- patch
- update
- apiGroups:
- spiderpool.spidernet.io
resources:
- spidermultusconfigs
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- spiderpool.spidernet.io
resources:
- spiderreservedips
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- spiderpool.spidernet.io
resources:
- spidersubnets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- spiderpool.spidernet.io
resources:
- spidersubnets/status
verbs:
- get
- patch
- update
18 changes: 7 additions & 11 deletions pkg/k8s/apis/spiderpool.spidernet.io/v2beta1/rbac.go
View file
Original file line number Diff line number Diff line change
@@ -1,27 +1,23 @@
// Copyright 2022 Authors of spidernet-io
// SPDX-License-Identifier: Apache-2.0

// +kubebuilder:rbac:groups=spiderpool.spidernet.io,resources=spidersubnets,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=spiderpool.spidernet.io,resources=spidersubnets/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=spiderpool.spidernet.io,resources=spiderippools,verbs=get;list;watch;create;update;patch;delete;deletecollection
// +kubebuilder:rbac:groups=spiderpool.spidernet.io,resources=spiderippools/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=spiderpool.spidernet.io,resources=spiderendpoints,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=spiderpool.spidernet.io,resources=spiderreservedips,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=spiderpool.spidernet.io,resources=spidersubnets;spiderendpoints;spiderreservedips;spidermultusconfigs;spiderclaimparameters,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=spiderpool.spidernet.io,resources=spidercoordinators,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=spiderpool.spidernet.io,resources=spidercoordinators/status,verbs=get;update;patch
// +kubebuilder:rbac:groups=spiderpool.spidernet.io,resources=spidermultusconfigs,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=spiderpool.spidernet.io,resources=spiderclaimparameters,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=spiderpool.spidernet.io,resources=spidersubnets/status;spiderippools/status;spidercoordinators/status,verbs=get;update;patch
// +kubebuilder:rbac:groups="",resources=events,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups="coordination.k8s.io",resources=leases,verbs=create;get;update
// +kubebuilder:rbac:groups="apps",resources=statefulsets;deployments;replicasets;daemonsets,verbs=get;list;watch;update
// +kubebuilder:rbac:groups="resource.k8s.io",resources=resourceclaims;resourceclaims/status;podschedulingcontexts/status;resourceclaimtemplates;resourceclasses;podschedulingcontexts,verbs=get;list;patch;watch;update
// +kubebuilder:rbac:groups="networking.k8s.io",resources=servicecidrs,verbs=get;list;watch
// +kubebuilder:rbac:groups="batch",resources=jobs;cronjobs,verbs=get;list;watch;update
// +kubebuilder:rbac:groups="",resources=nodes;namespaces;endpoints;pods;pods/status;configmaps,verbs=get;list;watch;update;patch;delete;deletecollection
// +kubebuilder:rbac:groups="*",resources="*",verbs=get;list;watch
// +kubebuilder:rbac:groups=k8s.cni.cncf.io,resources=network-attachment-definitions,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=kubevirt.io,resources=virtualmachines,verbs=get;list
// +kubebuilder:rbac:groups=kubevirt.io,resources=virtualmachineinstances,verbs=get;list
// +kubebuilder:rbac:groups=kubevirt.io,resources=virtualmachines;virtualmachineinstances,verbs=get;list
// +kubebuilder:rbac:groups=admissionregistration.k8s.io,resources=mutatingwebhookconfigurations;validatingwebhookconfigurations,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=apiextensions.k8s.io,resources=customresourcedefinitions,verbs=get;list;watch;create;update;patch;delete
// +kubebuilder:rbac:groups=apps.kruise.io,resources=clonesets;statefulsets,verbs=get;list;watch
// +kubebuilder:rbac:groups=crd.projectcalico.org,resources=ippools,verbs=get;list;watch
// +kubebuilder:rbac:groups=cilium.io,resources=ciliumpodippools,verbs=get;list;watch

package v2beta1

0 comments on commit d1dac37

Please sign in to comment.