Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

overly broad permissions: leases permissions should be namespace scoped #1564

Closed
nairb774 opened this issue Apr 8, 2023 · 0 comments · Fixed by #1614
Closed

overly broad permissions: leases permissions should be namespace scoped #1564

nairb774 opened this issue Apr 8, 2023 · 0 comments · Fixed by #1614
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@nairb774
Copy link

nairb774 commented Apr 8, 2023

/kind bug

What happened?

The current deployment creates a ClusterRole/ClusterRoleBinding with the leases permission.

What you expected to happen?

The deployment uses the minimal set of permissions necessary. This set of permissions should be able to be moved to a Role/RoleBinding in the namespace where the driver is deployed. As best I can tell, the code only needs to create/use a lease in the containing namespace and not in all namespaces cluster wide.

How to reproduce it (as minimally and precisely as possible)?

Follow the install instructions for either a kustomize or helm install.

Anything else we need to know?:

aws-ebs-csi-driver/deploy/kubernetes/base/clusterrole-provisioner.yaml

Lines 34 to 36 in cbd4697

- apiGroups: [ "coordination.k8s.io" ]
resources: [ "leases" ]
verbs: [ "get", "watch", "list", "delete", "update", "create" ]

aws-ebs-csi-driver/charts/aws-ebs-csi-driver/templates/clusterrole-provisioner.yaml

Lines 33 to 35 in cbd4697

- apiGroups: [ "coordination.k8s.io" ]
resources: [ "leases" ]
verbs: [ "get", "watch", "list", "delete", "update", "create" ]

Environment

  • Kubernetes version (use kubectl version): 1.22
  • Driver version: v1.17.0
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Apr 8, 2023
@torredil torredil mentioned this issue May 24, 2023
Merged
@nitishchauhan0022 nitishchauhan0022 removed their assignment May 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Namespace-scoped leases permissions torredil/aws-ebs-csi-driver
3 participants
@nairb774 @k8s-ci-robot @nitishchauhan0022