-
Story
-
Resolution: Done
-
Major
-
None
Originally I thought this was ok using the tool, `rakkess`. But as jweiser@redhat.com pointed out it seems like it was lying and tends to be unreliable for OCP.
Using the `oc` tool instead the RBAC permissions for the operator seems somewhat overly permissive. So for example, does the operator really need to be able to create, delete, update, list, get `secrets` in any namespace? Likewise it would be good to see the resources such as `clusterroles.rbac.authorization.k8s.io` locked down as well, if possible. We've had a close call or two, but clusterroles can lead to escalations if not careful. For example other issues that allow unprivileged users to interact with the operator, can mean that the operator ends up binding elevated credentials accidentally. I don't suspect that here, but it's why it's generally a red flag.
If these permissions are necessary, then that's also fine, we'll just document the why.
But after a quick flick through the code, it wasn't clear why the verbs were required to be so permissive. Of course just because I couldn't find one, doesn't mean its not there.
Keen to hear your thoughts.
> oc describe clusterrole.rbac/cluster-node-tuning-operator Name: cluster-node-tuning-operator Labels: <none> Annotations: include.release.openshift.io/ibm-cloud-managed: true include.release.openshift.io/self-managed-high-availability: true include.release.openshift.io/single-node-developer: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- *.tuned.openshift.io [] [] [*] configmaps [] [] [create get delete list update watch] namespaces [] [] [create get delete list update watch] secrets [] [] [create get delete list update watch] serviceaccounts [] [] [create get delete list update watch] services [] [] [create get delete list update watch] daemonsets.apps [] [] [create get delete list update watch] machineconfigs.machineconfiguration.openshift.io [] [] [create get delete list update watch] clusterrolebindings.rbac.authorization.k8s.io [] [] [create get delete list update watch] clusterroles.rbac.authorization.k8s.io [] [] [create get delete list update watch] clusteroperators.config.openshift.io [] [] [create get list watch] events [] [] [create patch] nodes [] [] [get list watch] pods [] [] [get list watch] machineconfigpools.machineconfiguration.openshift.io [] [] [get list watch] nodes/metrics [] [] [get] nodes/specs [] [] [get] clusteroperators.config.openshift.io/status [] [] [update] securitycontextconstraints.security.openshift.io [] [] [use]
