Restrict Cluster Role access authorizations #3156
Labels
area:collector
Issues for deploying collector
area:rbac
Issues relating to RBAC
discuss-at-sig
This issue or PR should be discussed at the next SIG meeting
help wanted
Extra attention is needed
question
Further information is requested
Component(s)
No response
Describe the issue you're reporting
Context
Our current setup uses the OpenTelemetry Operator to make the application traceable. The operator is deployed through a Helm Chart. However, our Trivy scanner identifies that the operator has broad permissions via the Kubernetes ClusterRole.
Revise
Based on my understanding, the OpenTelemetry Operator's current permissions allow it to delete various Kubernetes resources like pods, services, and service accounts. This level of access seems unnecessary for the operator's intended functionality.
The RBAC are generated via go maker comments. The most relevant ones are on the
OpenTelemetryCollectorReconciler
struct in the Reconcile function.Suggestion
+kubebuilder:rbac
and do not group them in a single go comment marker.Hint
As these are cluster roles, this applies to all namespaces.
Version
Helm Chart v0.58.2
The text was updated successfully, but these errors were encountered: