-
Bug
-
Resolution: Done
-
Undefined
-
Logging 5.4.0
-
False
-
None
-
False
-
NEW
-
VERIFIED
-
-
Logging (LogExp) - Sprint 217
Description of problem:
The system:serviceaccount:openshift-monitoring:prometheus-k8s is granted more privileges because the EO creates clusterrole/elasticsearch-metrics and clusterrolebinding/elasticsearch-metrics when ES cluster is deployed.
$ oc get clusterrole elasticsearch-metrics -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: "2022-03-31T01:33:01Z" name: elasticsearch-metrics resourceVersion: "55931" uid: 4feb9e30-b280-4796-97a4-039bae5d25f1 rules: - apiGroups: - "" resources: - pods - services - endpoints verbs: - list - watch - nonResourceURLs: - /metrics verbs: - get $ oc get clusterrolebinding elasticsearch-metrics -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: "2022-03-31T01:33:02Z" name: elasticsearch-metrics resourceVersion: "55934" uid: 6ef51a25-e8d7-4c26-bf31-ded16491d547 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: elasticsearch-metrics subjects: - kind: ServiceAccount name: prometheus-k8s namespace: openshift-monitoring
Version-Release number of selected component (if applicable):
elasticsearch-operator.5.4.0-127
How reproducible:
100%
Steps to Reproduce:
1. subscribe EO and CLO
2. deploy ES cluster
3. check clusterrole and clusterrolebinding
Actual results:
Expected results:
Additional info:
- is cloned by
-
LOG-2474 EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.5]
- Closed
-
LOG-2480 EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.2]
- Closed
-
LOG-2481 EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.3]
- Closed
-
LOG-2482 EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.5]
- Closed
- links to