Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-31353

[ingress-operator] - Minimize wildcard/privilege Usage in Cluster and Local Roles

XMLWordPrintable

    • Moderate
    • None
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • PxE suggested actions: Is this a bug or should it be an RFE? If a bug then it needs a priority re-evaluation. If Major then try to solve in the current sprint. TAM will be looking for an update on 26-Oct.
    • 10/14 Sev 4 Support case has been open 2 1/2 years. Represents a legitimate problem, just has no current activity. Not sure this is truly Major priority if it can be open w/no activity this long. 

      According http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_rbac_wildcard_use the usage of wildcard in ClusterRole and Roles should be prevented as best as possible.

Further, one should refrain from using {{cluster-admin}} permissions to comply with CIS security requirements.

It's therefore requested to review the below serviceAccount and their associated Roles as they were found not to be compliant with the above and restrict permissions further to the extend possible.

 - system:serviceaccount:openshift-ingress-operator:ingress-operator

              alebedev@redhat.com Andrey Lebedev
              rhn-support-sreber Simon Reber
              Hongan Li Hongan Li
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: