Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-74200

RBAC permissions for the prometheus-k8s service account are not restrictive enough for endpointslice resources

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.21
    • Monitoring
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • In Progress
    • Release Note Not Required
    • NA
    • None
    • None
    • None
    • None

      Description of problem:

      The openshift-monitoring/prometheus-k8s service account has cluster-wide permissions to get/list/watch endpointslice resources.

      Version-Release number of selected component (if applicable): 4.21

      How reproducible:

      always

      Steps to Reproduce:

          1. Check RBAC permissions for the prometheus-k8s service account
    2.
    3.

      Actual results:

      Permissions to get/list/watch endpointslice resources for all namespaces.

      Expected results:

      Permissions to get/list/watch endpointslice resources only for namespaces which contain ServiceMonitor resources using the new endpointslice service discovery role.

      Additional info:

      To align with the current security model for the legacy endpoints resources.

              spasquie@redhat.com Simon Pasquier
              spasquie@redhat.com Simon Pasquier
              None
              None
              Junqi Zhao Junqi Zhao
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: