You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The bug is that the Deployment event-generator in the charts has too much RBAC permission than it needs. The service account of event-generator is bound to a clusterrole (rbac.yaml#L11) with the following permissions:
create/delete verb of the deployments/pods/services resource (ClusterRole)
get verb of the secrets resource (ClusterRole)
After reading the source code of event-generator, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running an event-generator pod, they can use the "create deployment" permission to create privileged containers with malicious container images.
Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or or other feasible methods.
To Reproduce
Use helm chart with default values.
The text was updated successfully, but these errors were encountered:
Description
The bug is that the Deployment
event-generator
in the charts has too much RBAC permission than it needs. The service account of event-generator is bound to a clusterrole (rbac.yaml#L11) with the following permissions:create/delete
verb of thedeployments/pods/services
resource (ClusterRole)get
verb of thesecrets
resource (ClusterRole)After reading the source code of event-generator, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running an
event-generator
pod, they can use the "create deployment
" permission to create privileged containers with malicious container images.Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or or other feasible methods.
To Reproduce
Use helm chart with default values.
The text was updated successfully, but these errors were encountered: