fix: Replace wildcards in RBAC objects with explicit resources and verbs #6129
Conversation
legal90
force-pushed
the
rbac-no-wildcards
branch
4 times, most recently
from
04f9747
to
4142acc
Compare
|
/run-e2e |
legal90
force-pushed
the
rbac-no-wildcards
branch
2 times, most recently
from
0d56c96
to
da55007
Compare
|
/run-e2e |
|
/run-e2e |
legal90
force-pushed
the
rbac-no-wildcards
branch
from
da55007
to
aa1b7bf
Compare
|
/run-e2e |
|
/run-e2e internal |
Signed-off-by: Mikhail Zholobov <legal90@gmail.com>
Signed-off-by: Mikhail Zholobov <legal90@gmail.com>
Signed-off-by: Mikhail Zholobov <legal90@gmail.com>
legal90
force-pushed
the
rbac-no-wildcards
branch
from
aa1b7bf
to
09e545f
Compare
|
/run-e2e internal |
|
/run-e2e rabbit |
| // +kubebuilder:rbac:groups="*",resources="*/scale",verbs=get;list;watch;update;patch | ||
| // +kubebuilder:rbac:groups="apps",resources=deployments/scale;statefulsets/scale,verbs=get;list;watch;update;patch |
There was a problem hiding this comment.
We have to revert this change because KEDA must allow scaling any resource as default using raw manifests
There was a problem hiding this comment.
Thank you for the review, @JorTurFer !
I rolled back this line and re-generated role.yaml (by make manifests).
Could you please check again?
|
/run-e2e subresource_scale_test |
According to the PR review comment.
| @@ -18,7 +18,8 @@ rules: | |||
| resources: | |||
| - events | |||
| verbs: | |||
| - '*' | |||
| - create | |||
| - patch | |||
There was a problem hiding this comment.
I wasn't sure about this being sufficient but it should be fine. For any other reviewers, here is the docs
https://book.kubebuilder.io/reference/raising-events#granting-the-required-permissions
According to Kubernetes documentation and various k8s security guidelines, wildcards in resource and verb entries should be avoided:
Warning
Using wildcards in resource and verb entries could result in overly permissive access being granted to sensitive resources. For instance, if a new resource type is added, or a new subresource is added, or a new custom verb is checked, the wildcard entry automatically grants access, which may be undesirable. The principle of least privilege should be employed, using specific resources and verbs to ensure only the permissions required for the workload to function correctly are applied.
Refs:
This PR could be seen as a continuation of a previous work for hardening the RBAC: kedacore/charts#625
It replaces
*with explicit verbs and resources, according to KEDA needs.Checklist
Relates to kedacore/charts#682