Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-4565

[openshift-apiserver] - Minimize wildcard/privilege Usage in Cluster and Local Roles

XMLWordPrintable

    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request
      [openshift-apiserver] - Minimize wildcard/privilege Usage in Cluster and Local Roles

      2. What is the nature and description of the request?
      According http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_rbac_wildcard_use the usage of wildcard in ClusterRole and Roles should be prevented as best as possible.

      Further, one should refrain from using `cluster-admin` permissions to comply with CIS security requirements.

      It's therefore requested to review the below serviceAccount and their associated Roles as they were found not to be compliant with the above and restrict permissions further to the extend possible.

      system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
      system:serviceaccount:openshift-apiserver:openshift-apiserver-sa

      3. Why does the customer need this? (List the business requirements here)
      Comply with general and recommended Kubernetes Security guidelines and therefore the platform should comply the same way as otherwise exceptions need to be requested for running OpenShift Container Platform 4.

      Also it's not clear that everything can be compliant with the common guidelines. In this case though, it's expected that these things are being documented to understand the reasoning being it.

      4. List any affected packages or components.
      openshift-apiserver

              wcabanba@redhat.com William Caban
              rhn-support-sreber Simon Reber
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: