Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Unnecessary RBAC permissions #315

Open
Yseona opened this issue May 30, 2024 · 0 comments
Open

[BUG] Unnecessary RBAC permissions #315

Yseona opened this issue May 30, 2024 · 0 comments
Assignees
@SimonCqk

Comments

@Yseona
Copy link

Yseona commented May 30, 2024

Description

The bug is that the Deployment kubedl in the charts has too much RBAC permission than it needs. The service account of kubedl is bound to a clusterrole (role.yaml) with the following permissions:

  • create/delete/patch/update verb of the deployments resource (ClusterRole)
  • update verb of the pods/sevices resource (ClusterRole)

After reading the source code of kubedl/kubedl, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running a kubedl pod, they can use the "create deployment" permission to create privileged containers with malicious container images.

Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or other feasible methods.

To Reproduce

Use charts with default values.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SimonCqk SimonCqk

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SimonCqk @Yseona