Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-1168

Documented Process for Shared Resource CSI Driver Too Permissive

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • builds-1.2
    • builds-1.1
    • shared-resources
    • None
    • 2
    • False
    • None
    • False
    • SECFLOWOTL-27 - Shared Resource CSI Driver GA
    • Release Note Not Required
    • Builds Sprint #17

      Description of problem:

      In BUILD-965, we reduced the RBAC granted to the Shared Resource CSI Driver. The documented process for cluster admins, however, leads to the same fundamental security problem of the CSI driver being granted excessive permissions.

      Workaround: None

      Prerequisites (if any, like setup, operators/versions):

      Builds for OpenShift 1.1

      Steps to Reproduce

      Follow the procedure described in the Shared Resource CSI Driver README: https://github.com/openshift/csi-driver-shared-resource
       

      Actual results:

      Shared Resource CSI driver has permission to read any ConfigMap (bad). The equivalent procedure for Secrets would allow the CSI driver to read any Secret (really bad)

      Expected results:

      CSI driver should operate under principle of least privilege - its service account should only have permission to access specific Secrets or ConfigMaps.

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Acceptance criteria: 

      • Documented procedure ensures cluster admins only grant minimal permissions to the Shared Resource CSI driver

              adkaplan@redhat.com Adam Kaplan
              adkaplan@redhat.com Adam Kaplan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: