Helm Chart: Unnecessary RBAC permissions #20
Description
###Description
The bug is that the Deployment csi-curve-plugin-provisioner and DaemonSet csi-curve-plugin in the charts have too much RBAC permission than they need. The service account of csi-curve-plugin-provisioner is bound to the a clusterrole(controller-rbac.yaml#L12) with the following permissions:
listverb ofsecretsresource (ClusterRole)
The service account of csi-curve-plugin is bound to the a clusterrole(node-rbac.yaml#L12) with the following permissions:
updateverb ofnodesresource (ClusterRole)
After reading the source code of curvecsi/curve-csi, sig-storage/csi-node-driver-registrar, etc, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running a csi-curve-plugin-provisioner pod, they can list all the names of the secrets, and with the name, they can get the details of all the secrets objects (since this is declared in a ClusterRole).
Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or or other feasible methods.
To Reproduce
Use the helm chart with default values.