[BUG] Unnecessary RBAC permissions

Question

[BUG] Unnecessary RBAC permissions

Opened this issue 4 months ago · 0 comments

Description

The bug is that the Deployment kubedl in the charts has too much RBAC permission than it needs. The service account of kubedl is bound to a clusterrole (role.yaml) with the following permissions:

create/delete/patch/update verb of the deployments resource (ClusterRole)
update verb of the pods/sevices resource (ClusterRole)

After reading the source code of kubedl/kubedl, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running a kubedl pod, they can use the "create deployment" permission to create privileged containers with malicious container images.

Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or other feasible methods.

To Reproduce

Use charts with default values.