Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: RHDG Operator CSV 8.3.6 GA
Affects Version/s: None
Component/s: Operator
Labels:
None

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
CDW devel_ack:
CDW docs_ack:
CDW pm_ack:
CDW qa_ack:
CDW release:
Target Release:

RHDG Operator CSV 8.3.6 GA
Workaround Description:

Hide

Deploy the Operator separate to application deployments in namespace with more restricted user access using MultiNamespace or AllNamespaces.

Show
Deploy the Operator separate to application deployments in namespace with more restricted user access using MultiNamespace or AllNamespaces .
Git Pull Request:
https://github.com/infinispan/infinispan-operator/pull/1565

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

The Operator currently requests clusterwide permissions to create/delete ServiceAccounts. Consequently, when the Operator is deployed in OwnNamespace mode it's possible for users with admin rights to retrieve the Operator's ServiceAccount token and use this to login granting them the ability to delete arbitrary ServiceAccounts in the k8s cluster which could cause the cluster to become unstable.

https://issues.redhat.com/browse/DGSUP-76

Solution: Only request ServiceAccount permissions at the namespace level.

links to

Upstream Issue

mentioned on

Merge request - JDG-5393 Operator leaks clusterwide serviceaccount privileges

Solved by commit 22b23a3076b59e47e2b0176b21cbb544245dd279.

Assignee:: Ryan Emerson

Reporter:: Ryan Emerson

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2022/06/14 4:05 PM

Updated:: 2023/05/08 6:26 PM

Resolved:: 2022/06/15 9:22 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates

Hide