-
Feature Request
-
Resolution: Done
-
Normal
-
None
-
None
-
False
-
False
-
Undefined
-
-
-
1. Proposed title of this feature request
Enable Cloud Credential Operator to mint new vSphere credentials
2. What is the nature and description of the request?
Today the credential operator cannot mint new vSphere credential nor can it scope down existing credentials. This is best explained here[1]. This means that all the components that need to contact the vSphere API get the same credentials that were used at installation time. In particular also the kubelet gets those credentials. This way if our understanding is correct, if a node it compromised the attacker will also gain elevated access to the underlying vSphere infrastructure.
This RFE is to ask that the implementation of the credentials operator for vSphere is brought to par with the other cloud providers and in so that credentials can be scoped down and that then the principle of least privilege is applied to all the new minted credentials.
[1]: https://github.com/openshift/cloud-credential-operator#support-matrix