This repository has been archived by the owner on Jan 11, 2023. It is now read-only.
Dashboard Service Account Role #2425
Comments
|
This was identified during a security review we did recently. As a workaround, we are proposing disabling the addon when we run ACS-Engine against the We'll be using the ACS-Engine's example at parts/k8s/addons/kubernetesmasteraddons-kubernetes-dashboard-deployment.yaml but modifying it per our requirements. |
3 tasks
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Is this a request for help?: No
Is this an ISSUE or FEATURE REQUEST? (choose one): ISSUE
What version of acs-engine?: v0.13.0
Orchestrator and version (e.g. Kubernetes, DC/OS, Swarm)
K8S v1.9.3
What happened:
dashboard service account running in cluster-admin role by default.
https://github.com/Azure/acs-engine/blob/afbf71b97cb7e14518d67708f79efa757c32bcbb/parts/k8s/addons/kubernetesmasteraddons-kubernetes-dashboard-deployment.yaml
What you expected to happen:
"As of release 1.7 Dashboard no longer has full admin privileges granted by default" https://github.com/kubernetes/dashboard/wiki/Access-control
How to reproduce it (as minimally and precisely as possible):
https://github.com/Azure/acs-engine/blob/master/docs/kubernetes/deploy.md
Anything else we need to know:
on the dashboard login screen clicking the "Skip" button correctly lets an unauthenticated user use the dashboard under the privileges of the dashboard SA. by default this would effectively be read-only view but because the SA is privileged as admin so is their access. currently no need for users to auth to their potentially lower privileges when they can just skip to admin.
The text was updated successfully, but these errors were encountered: