[BUG]: Unnecessary RBAC permissions

Question

[BUG]: Unnecessary RBAC permissions

Yseona opened this issue 10 months ago · 2 comments

Yseona commented 10 months ago

Checklist

I've searched for similar issues and couldn't find anything matching
I've included steps to reproduce the behavior

Affected Components

K8sGPT (CLI)
K8sGPT Operator

K8sGPT Version

v0.3.32

Kubernetes Version

No response

Host OS and its Version

No response

Steps to reproduce

Use chart with default values.

Expected behaviour

The bug is that the Deployment k8sgpt in the charts has both list and get verbs for the secrets resource (role.yaml). However, after reading the source code of k8sgpt, I didn't find any Kubernetes API usages that require list secrets permissions. If malicious users gain control of a Kubernetes node running a k8sgpt pod, they can list all the names of the secrets, and with the name, they can get the details of all the secrets objects (since this is declared in a ClusterRole).

Therefore, for security reasons, I suggest checking this permission to determine if it is truly unnecessary. If it is, the issue should be fixed by removing the unnecessary permission or other feasible methods.

Actual behaviour

No response

Additional Information

No response

JuHyung-Son commented 10 months ago

agree.

Answer 1 · 2024-07-16T08:24:18.000Z

Hi, I will work on this issue, and will raise a PR soon, Thanks!