Uploaded image for project: 'OpenShift CFE'
  1. OpenShift CFE
  2. CFE-248 As a security/dev engineer I want to audit and implement the Node Observability Operator so that it complies with “least privilege” when deployed
  3. CFE-410

As an operator designer, I want to make sure RBAC is restricted to the minimum necessary

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • None
    • False
    • None
    • False
    • CFE Sprint 216, CFE Sprint 217, CFE Sprint 218

      According to https://docs.google.com/document/d/1D6Asw-dg1d6oii_ofThZiROnmvOl2XH8b559NnszCtk/edit# :

      Q: Is there a way we could restrict it? On resourceName? If that makes any sense?

      [David]If the SA that needs to be created, and eventually destroyed, is always created and destroyed in a known Namespace, this could work in a Role RBAC definition, instead of a ClusterRole RBAC one.

      In this subtask, we want to investigate if it is possible to restrict the permissions to create/update/delete serviceaccounts to the namespace, instead oc giving this permission for the whole cluster

              thn@redhat.com Thejas N (Inactive)
              skhoury@redhat.com Sherine Khoury
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: