Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2437

EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.4]

    XMLWordPrintable

Details

    • False
    • None
    • False
    • NEW
    • VERIFIED
    • Hide
      Before this update, `system:serviceaccount:openshift-monitoring:prometheus-k8s` had cluster level privileges as a `clusterrole` and `clusterrolebinding`. This update restricts the `serviceaccount`to the `openshift-logging` namespace with a role and rolebinding.
      Show
      Before this update, `system:serviceaccount:openshift-monitoring:prometheus-k8s` had cluster level privileges as a `clusterrole` and `clusterrolebinding`. This update restricts the `serviceaccount`to the `openshift-logging` namespace with a role and rolebinding.
    • Logging (LogExp) - Sprint 217

    Description

      Description of problem:

      The system:serviceaccount:openshift-monitoring:prometheus-k8s is granted more privileges because the EO creates clusterrole/elasticsearch-metrics and clusterrolebinding/elasticsearch-metrics when ES cluster is deployed.

      $ oc get clusterrole elasticsearch-metrics  -oyaml
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        creationTimestamp: "2022-03-31T01:33:01Z"
        name: elasticsearch-metrics
        resourceVersion: "55931"
        uid: 4feb9e30-b280-4796-97a4-039bae5d25f1
      rules:
      - apiGroups:
        - ""
        resources:
        - pods
        - services
        - endpoints
        verbs:
        - list
        - watch
      - nonResourceURLs:
        - /metrics
        verbs:
        - get
      $ oc get clusterrolebinding elasticsearch-metrics -oyaml
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: "2022-03-31T01:33:02Z"
        name: elasticsearch-metrics
        resourceVersion: "55934"
        uid: 6ef51a25-e8d7-4c26-bf31-ded16491d547
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: elasticsearch-metrics
      subjects:
      - kind: ServiceAccount
        name: prometheus-k8s
        namespace: openshift-monitoring

      Version-Release number of selected component (if applicable):

      elasticsearch-operator.5.4.0-127

      How reproducible:

      100%

      Steps to Reproduce:
      1. subscribe EO and CLO
      2. deploy ES cluster
      3. check clusterrole and clusterrolebinding

      Actual results:

      Expected results:

      Additional info: 

      Attachments

        Issue Links

          Activity

            People

              gvanloo Gerard Vanloo
              qitang@redhat.com Qiaoling Tang
              Qiaoling Tang Qiaoling Tang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: