-
Feature Request
-
Resolution: Done
-
Normal
-
None
-
None
-
False
-
None
-
False
-
Not Selected
-
-
-
-
-
1. Proposed title of this feature request
[kube-apiserver] - Minimize wildcard/privilege Usage in Cluster and Local Roles
2. What is the nature and description of the request?
According http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_rbac_wildcard_use the usage of wildcard in ClusterRole and Roles should be prevented as best as possible.
Further, one should refrain from using `cluster-admin` permissions to comply with CIS security requirements.
It's therefore requested to review the below serviceAccount and their associated Roles as they were found not to be compliant with the above and restrict permissions further to the extend possible.
- system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
- system:serviceaccount:openshift-kube-apiserver:installer-sa
- system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
3. Why does the customer need this? (List the business requirements here)
Comply with general and recommended Kubernetes Security guidelines and therefore the platform should comply the same way as otherwise exceptions need to be requested for running OpenShift Container Platform 4.
Also it's not clear that everything can be compliant with the common guidelines. In this case though, it's expected that these things are being documented to understand the reasoning being it.
4. List any affected packages or components.
kube-apiserver
- is cloned by
-
OCPSTRAT-858 [kube-apiserver] - Minimize wildcard/privilege Usage in Cluster and Local Roles
- Backlog
- is related to
-
OCPBUGS-1449 [kube-apiserver] - Minimize wildcard/privilege Usage in Cluster and Local Roles
- Closed