Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
None
Description
The Operator currently requests clusterwide permissions to create/delete ServiceAccounts. Consequently, when the Operator is deployed in OwnNamespace mode it's possible for users with admin rights to retrieve the Operator's ServiceAccount token and use this to login granting them the ability to delete arbitrary ServiceAccounts in the k8s cluster which could cause the cluster to become unstable.
https://issues.redhat.com/browse/DGSUP-76
Solution: Only request ServiceAccount permissions at the namespace level.