Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-4564

[kube-apiserver] - Minimize wildcard/privilege Usage in Cluster and Local Roles

    XMLWordPrintable

Details

    • False
    • None
    • False
    • Not Selected
    • 0
    • 0% 0%

    Description

      1. Proposed title of this feature request
      [kube-apiserver] - Minimize wildcard/privilege Usage in Cluster and Local Roles

      2. What is the nature and description of the request?
      According http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_rbac_wildcard_use the usage of wildcard in ClusterRole and Roles should be prevented as best as possible.

      Further, one should refrain from using `cluster-admin` permissions to comply with CIS security requirements.

      It's therefore requested to review the below serviceAccount and their associated Roles as they were found not to be compliant with the above and restrict permissions further to the extend possible.

      • system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
      • system:serviceaccount:openshift-kube-apiserver:installer-sa
      • system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client

      3. Why does the customer need this? (List the business requirements here)
      Comply with general and recommended Kubernetes Security guidelines and therefore the platform should comply the same way as otherwise exceptions need to be requested for running OpenShift Container Platform 4.

      Also it's not clear that everything can be compliant with the common guidelines. In this case though, it's expected that these things are being documented to understand the reasoning being it.

      4. List any affected packages or components.
      kube-apiserver

      Attachments

        Issue Links

          is cloned by

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-858 [kube-apiserver] - Minimize wildcard/privilege Usage in Cluster and Local Roles

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Backlog
          is related to

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-1449 [kube-apiserver] - Minimize wildcard/privilege Usage in Cluster and Local Roles

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed

          Activity

            People

              wcabanba@redhat.com William Caban
              rhn-support-sreber Simon Reber
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: