-
Notifications
You must be signed in to change notification settings - Fork 227
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Replace wildcards in RBAC objects with explicit resources and verbs #682
Conversation
This PR look nice, but we can revert if by mistake during the release if we copy the RBAC from KEDA repo. Could you open a PR there too, changing the RBAC? 🙏 |
6817983
to
0464390
Compare
Thank you, @JorTurFer ! I submitted the similar PR to the main KEDA repo: kedacore/keda#6129 |
3bfed4e
to
55e2919
Compare
Signed-off-by: Mikhail Zholobov <[email protected]>
Remove unnecessary "create" and "delete" verbs for CRs which are supposed to be created and deleted only by a user, and not by an operator. Signed-off-by: Mikhail Zholobov <[email protected]>
55e2919
to
ca721c8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@legal90 can we please fix the build?
It was a CI problem, the fix is merged and I've rebased your PR |
@JorTurFer @zroubalik Will this break a scenario when As per KEDA's documentation:
UPD |
…rbs (kedacore#682) Co-authored-by: Jorge Turrado Ferrero <[email protected]>
According to Kubernetes documentation and various k8s security guidelines, wildcards in resource and verb entries should be avoided:
Warning
Using wildcards in resource and verb entries could result in overly permissive access being granted to sensitive resources. For instance, if a new resource type is added, or a new subresource is added, or a new custom verb is checked, the wildcard entry automatically grants access, which may be undesirable. The principle of least privilege should be employed, using specific resources and verbs to ensure only the permissions required for the workload to function correctly are applied.
Refs:
This PR could be seen as a continuation of a previous work for hardening the RBAC: #625
It replaces
*
with explicit verbs and resources, according to KEDA needs.Checklist
Similar PR to the main keda repo: kedacore/keda#6129