Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Least Privilege on RBAC Permissions #72

Open
ghostsquad opened this issue Aug 12, 2022 · 0 comments
Open

Least Privilege on RBAC Permissions #72

ghostsquad opened this issue Aug 12, 2022 · 0 comments

Comments

@ghostsquad
Copy link

Please describe your use case / problem.

A review of the RBAC permissions given to the edge-stack pods seems overly permissive. Here are some examples:

https://github.com/emissary-ingress/emissary/blob/5e03b912c048c2db25763dbf77265792199ebbad/charts/emissary-ingress/templates/rbac.yaml#L87-L90

https://github.com/datawire/edge-stack/blob/main/charts/edge-stack/templates/rbac.yaml#L27-L29

Does this actually need to read every secret in every namespace?

Similarly, its allowed to delete any CRD.

rules:
  - apiGroups: [ "apiextensions.k8s.io" ]
    resources: [ "customresourcedefinitions" ]
    verbs: ["get", "list", "watch", "delete"]

Describe the solution you'd like

At minimum, it would be nice to have an explanation of what's going on that seems to require these permissions. Better would be to be a bit more verbose about what secrets, CRDs, etc that actually need to be managed.

Describe alternatives you've considered

Disabling unsavory permissions until I've had a chance to review the code and/or see errors in the logs.

Additional context
n/a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant