Helm Chart：Unnecessary RBAC permissions

[Yseona]

Description

The bug is that the Deployment event-generator in the charts has too much RBAC permission than it needs. The service account of event-generator is bound to a clusterrole (rbac.yaml#L11) with the following permissions:

• create/delete verb of the deployments/pods/services resource (ClusterRole)
• get verb of the secrets resource (ClusterRole)

After reading the source code of event-generator, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running an event-generator pod, they can use the "create deployment" permission to create privileged containers with malicious container images.

Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or or other feasible methods.

To Reproduce

Use helm chart with default values.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[leogr]

Hey, sorry for the very late response 😓

IIRC, those permissions are needed since the event-generator can create a fake activity for the K8s Audit Log 👇
https://github.com/falcosecurity/event-generator/tree/main/events/k8saudit/yaml
These resources ☝️ need relevant RBAC permissions to be applied.

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten