Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-5805

kube-scheduler: Minimize wildcard/privilege Usage in Cluster and Local Roles

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Do
    • Minor
    • None
    • 4.13, 4.12, 4.11, 4.10, 4.14
    • kube-scheduler
    • None
    • False
    • Hide

      None

      Show
      None

    Description

      Description of problem:

      bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2066691

According http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_rbac_wildcard_use the usage of wildcard in ClusterRole and Roles should be prevented as best as possible.

Further, one should refrain from using `cluster-admin` permissions to comply with CIS security requirements.

It's therefore requested to review the below serviceAccount and their associated Roles as they were found not to be compliant with the above and restrict permissions further to the extend possible.

 - system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
 - system:serviceaccount:openshift-kube-scheduler:installer-sa
 - system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:

      1.
2.
3.

      Actual results:

       

      Expected results:

       

      Additional info:

       

       
       
       

       

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-5804 openshift: kube-controller-manager: Minimize wildcard/privilege Usage in Cluster and Local Roles [openshift-4]

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed

          Activity

            People

              fkrepins@redhat.com Filip Krepinsky
              fkrepins@redhat.com Filip Krepinsky
              Rama Kasturi Narra Rama Kasturi Narra
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: