You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The bug is that the Deployment kubedl in the charts has too much RBAC permission than it needs. The service account of kubedl is bound to a clusterrole (role.yaml) with the following permissions:
create/delete/patch/update verb of the deployments resource (ClusterRole)
update verb of the pods/sevices resource (ClusterRole)
After reading the source code of kubedl/kubedl, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running a kubedl pod, they can use the "create deployment" permission to create privileged containers with malicious container images.
Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or other feasible methods.
To Reproduce
Use charts with default values.
The text was updated successfully, but these errors were encountered:
Description
The bug is that the Deployment kubedl in the charts has too much RBAC permission than it needs. The service account of
kubedl
is bound to a clusterrole (role.yaml) with the following permissions:create/delete/patch/update
verb of thedeployments
resource (ClusterRole)update
verb of thepods/sevices
resource (ClusterRole)After reading the source code of kubedl/kubedl, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running a
kubedl
pod, they can use the "create deployment
" permission to create privileged containers with malicious container images.Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or other feasible methods.
To Reproduce
Use charts with default values.
The text was updated successfully, but these errors were encountered: