Uploaded image for project: 'Cluster Observability Operator'
  1. Cluster Observability Operator
  2. COO-1120

Add config to not create ClusterRoleBinding

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Major Major
    • 1.3.0 RC
    • None
    • monitoring-stack
    • None
    • no ClusterRoleBinding
    • Quality / Stability / Reliability
    • OBSDA-1197RFE - add a feature flag for the creation for the ClusterRoleBindings to make them optional
    • 0% To Do, 0% In Progress, 100% Done
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • 100% (High)
    • 8
    • 0

      When a Monitoring stack with a non-empty namespaceSelector is created, the controller also creates a ClusterRoleBinding for the Prometheus SA. This grants far reaching authorization which users can abuse by impersonating the Prometheus SA.

      A CRB is not always needed if the MonitoringStack only should monitor a known list of namespaces. Since we don't want to maintain a watch on namespaces (can cause memory issues) but give users the option to avoid the potential security issue, we should have a config to instruct the operator to not create the CRB and leave it to the user to create the needed RoleBindings in the desired namespaces.

              jfajersk@redhat.com Jan Fajerski
              jfajersk@redhat.com Jan Fajerski
              None
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: