Tighten RBAC policies on the trident service accounts.

Question

Tighten RBAC policies on the trident service accounts.

Opened this issue 6 months ago · 0 comments

The trident helm chart grants the trident-operator service account access to every secret in kuberentes.

This is because it uses a ClusterRole with no resourceNames.
https://github.com/NetApp/trident/blob/master/helm/trident-operator/templates/clusterrole.yaml#L60-L71

For better security the helm chart should either use a Role and restrict the secret access to a singular namespace, or set resourceNames to the secrets it need access to, so that the service account only has access to the secrets it needs.