Value Statement
By prohibiting the use of wildcards in RBAC permissions, we enhance security by enforcing precise access control and reducing the risk of unauthorized access to resources.
Targeted Files:
- [ ] pkg/.../cluster-backup/templates/clusterbackup-clusterrole.yaml
- [ ] pkg/.../charts/toggle/grc/templates/grc-clusterrole.yaml
- [ ] pkg/.../charts/toggle/grc/templates/grc-role.yaml
- [ ] pkg/.../templates/multicluster-operators-clusterrole.yaml
- [ ] pkg/.../templates/multicluster-observability-operator-clusterrole.yaml
- [ ] pkg/templates/multiclusterhub/base/multicluster-applications-rbac-aggregate-admin.yaml
- [ ] pkg/.../search-v2-operator/templates/search-v2-operator-clusterrole.yaml
- [ ] pkg/.../search-v2-operator/templates/search-v2-operator-role.yaml
Definition of Done for Engineering Story Owner (Checklist)
- [ ] Wildcards are removed from RBAC permissions in various YAML files.
- [ ] RBAC configurations are validated to ensure precise access control.
Noncompliant code example
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: example-role rules: - apiGroups: [""] resources: ["*"] # Noncompliant verbs: ["get", "list"]
Compliant solution
apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: example-role rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"]
Development Complete
- The code is complete.
- Functionality is working.
- Any required downstream Docker file changes are made.
Tests Automated
- [ ] Unit/function tests have been automated and incorporated into the
build. - [ ] 100% automated unit/function test coverage for new or changed APIs.
Secure Design
- [ ] Security has been assessed and incorporated into your threat model.
Multidisciplinary Teams Readiness
- [ ] Create an informative documentation issue using the [Customer
Portal_doc_issue template](
https://github.com/stolostron/backlog/issues/new?assignees=&labels=squad%3Adoc&template=doc_issue.md&title=),
and ensure doc acceptance criteria is met. Link the development issue to
the doc issue. - [ ] Provide input to the QE team, and ensure QE acceptance criteria
(established between story owner and QE focal) are met.
Support Readiness
- [ ] The must-gather script has been updated.
- is cloned by
-
ACM-10002 MCE: Prohibit the use of wildcards when defining RBAC permissions in various YAML files to enforce precise access control
- To Do