Uploaded image for project: 'Red Hat Data Grid'
  1. Red Hat Data Grid
  2. JDG-5393

Operator leaks clusterwide serviceaccount privileges

    XMLWordPrintable

Details

    • False
    • None
    • False
    • Hide

      Deploy the Operator separate to application deployments in namespace with more restricted user access using MultiNamespace or AllNamespaces.

      Show
      Deploy the Operator separate to application deployments in namespace with more restricted user access using MultiNamespace or AllNamespaces .

    Description

      The Operator currently requests clusterwide permissions to create/delete ServiceAccounts. Consequently, when the Operator is deployed in OwnNamespace mode it's possible for users with admin rights to retrieve the Operator's ServiceAccount token and use this to login granting them the ability to delete arbitrary ServiceAccounts in the k8s cluster which could cause the cluster to become unstable.

      https://issues.redhat.com/browse/DGSUP-76

      Solution: Only request ServiceAccount permissions at the namespace level.

      Attachments

        Activity

          People

            remerson@redhat.com Ryan Emerson
            remerson@redhat.com Ryan Emerson
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: