Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: limit default RBAC rules for kanister operator #3050

Closed
hairyhum opened this issue Aug 20, 2024 · 3 comments · Fixed by #3134
Closed

Security: limit default RBAC rules for kanister operator #3050

hairyhum opened this issue Aug 20, 2024 · 3 comments · Fixed by #3134
Assignees
Labels
documentation security Security related issues

Comments

@hairyhum
Copy link
Contributor

Current default RBAC role bindings for kanister operator allow creation of pods in any namespaces with any service accounts, thus enabling privilege escalations.

Kanister should adopt safer default, such as only allowing to create pods in the kanister namespace.

It can also document or provide tools for users to set up roles for the blueprints which require them.

Security advisory:
GHSA-h27c-6xm3-mcqp

@hairyhum hairyhum added documentation security Security related issues labels Aug 20, 2024
Copy link
Contributor

Thanks for opening this issue 👍. The team will review it shortly.

If this is a bug report, make sure to include clear instructions how on to reproduce the problem with minimal reproducible examples, where possible. If this is a security report, please review our security policy as outlined in SECURITY.md.

If you haven't already, please take a moment to review our project's Code of Conduct document.

@hairyhum
Copy link
Contributor Author

Related to #1550

@github-project-automation github-project-automation bot moved this to To Be Triaged in Kanister Aug 29, 2024
@hairyhum hairyhum removed the triage label Aug 29, 2024
@hairyhum
Copy link
Contributor Author

TODO: check what happens on helm chart upgrade and create upgrade instructions.
We also need to document that existing users need to downgrade permissions for kanister to only create pods in specific namespaces.

@r4rajat r4rajat self-assigned this Sep 16, 2024
@mergify mergify bot closed this as completed in #3134 Sep 26, 2024
@github-project-automation github-project-automation bot moved this from To Be Triaged to Done in Kanister Sep 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation security Security related issues
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

2 participants