Loading...

XML

Word

Printable

Type: Story
Resolution: Unresolved
Priority: Normal
Fix Version/s: Future
Affects Version/s: Future
Component/s: Installer
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
Acceptance Criteria:

Hide

Provide the required acceptance criteria using this template.
* ...

Show
Provide the required acceptance criteria using this template. * ...
Regression:
No
Intelligence Requested:
Market:

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Value Statement

By prohibiting the use of wildcards in RBAC permissions, we enhance security by enforcing precise access control and reducing the risk of unauthorized access to resources.

Targeted Files:

[ ] pkg/.../cluster-backup/templates/clusterbackup-clusterrole.yaml
[ ] pkg/.../charts/toggle/grc/templates/grc-clusterrole.yaml
[ ] pkg/.../charts/toggle/grc/templates/grc-role.yaml
[ ] pkg/.../templates/multicluster-operators-clusterrole.yaml
[ ] pkg/.../templates/multicluster-observability-operator-clusterrole.yaml
[ ] pkg/templates/multiclusterhub/base/multicluster-applications-rbac-aggregate-admin.yaml
[ ] pkg/.../search-v2-operator/templates/search-v2-operator-clusterrole.yaml
[ ] pkg/.../search-v2-operator/templates/search-v2-operator-role.yaml

Definition of Done for Engineering Story Owner (Checklist)

[ ] Wildcards are removed from RBAC permissions in various YAML files.
[ ] RBAC configurations are validated to ensure precise access control.

Noncompliant code example

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: example-role
rules:
  - apiGroups: [""]
    resources: ["*"] # Noncompliant
    verbs: ["get", "list"]

Compliant solution

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: example-role
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list"]

Development Complete

The code is complete.
Functionality is working.
Any required downstream Docker file changes are made.

Tests Automated

[ ] Unit/function tests have been automated and incorporated into the
build.
[ ] 100% automated unit/function test coverage for new or changed APIs.

Secure Design

[ ] Security has been assessed and incorporated into your threat model.

Multidisciplinary Teams Readiness

[ ] Create an informative documentation issue using the [Customer
Portal_doc_issue template](
https://github.com/stolostron/backlog/issues/new?assignees=&labels=squad%3Adoc&template=doc_issue.md&title=),
and ensure doc acceptance criteria is met. Link the development issue to
the doc issue.
[ ] Provide input to the QE team, and ensure QE acceptance criteria
(established between story owner and QE focal) are met.

Support Readiness

[ ] The must-gather script has been updated.

is cloned by

ACM-10002 MCE: Prohibit the use of wildcards when defining RBAC permissions in various YAML files to enforce precise access control

To Do

Assignee:: Unassigned

Reporter:: Disaiah Bennett

QA Contact:: Thuy Nguyen

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: 2024/02/19 9:14 PM

Updated:: 2024/05/01 5:08 PM

Details

Description

Value Statement

Definition of Done for Engineering Story Owner (Checklist)

Noncompliant code example

Compliant solution

Development Complete

Tests Automated

Secure Design

Multidisciplinary Teams Readiness

Support Readiness

Attachments

Issue Links

Activity

People

Dates

Hide