[BUG] Unnecessary RBAC permissions
Opened this issue · 0 comments
Description
The bug is that the Deployment kubedl in the charts has too much RBAC permission than it needs. The service account of kubedl
is bound to a clusterrole (role.yaml) with the following permissions:
create/delete/patch/update
verb of thedeployments
resource (ClusterRole)update
verb of thepods/sevices
resource (ClusterRole)
After reading the source code of kubedl/kubedl, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running a kubedl
pod, they can use the "create deployment
" permission to create privileged containers with malicious container images.
Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or other feasible methods.
To Reproduce
Use charts with default values.