Wrong ClusterRole privileges when using Helm
gcaracuel opened this issue · 3 comments
Describe the bug
When using Helm deploy method te RBAC configuration does introduce not needed privileges, some of them are dangerous and reported as not recommended at NSA Kubernetes hardening guidance
To Reproduce
When using Helm deploy method ClusterRole templated differs from https://github.com/mittwald/kubernetes-replicator/blob/master/deploy/rbac.yaml
Expected behavior
At ClusterRole:
- apiGroups: [""] # "" indicates the core API group
resources: ["secrets", "configmaps"]
verbs: ["get", "watch", "list", "create", "update", "patch", "delete"]
Instead of:
- apiGroups:
- ""
- apps
- extensions
resources:
- secrets
- configmaps
- roles
- rolebindings
- cronjobs
- deployments
- events
- ingresses
- jobs
- pods
- pods/attach
- pods/exec
- pods/log
- pods/portforward
- services
verbs: ["get", "watch", "list", "create", "update", "patch", "delete", "describe"]
- apiGroups:
- batch
resources:
- configmaps
- cronjobs
- deployments
- events
- ingresses
- jobs
- pods
- pods/attach
- pods/exec
- pods/log
- pods/portforward
- services
verbs: ["get", "watch", "list", "create", "update", "patch", "delete", "describe"]
Environment:
- Kubernetes version: Any
- kubernetes-replicator version: v2.6.0 to current
Additional context
This issue was introduced by: #75
I guess the problem here is somebody used the example ClusterRole in the issue related this PR to create the replicator related ClusterRole which 2 totally different things.
There has not been any activity to this issue in the last 14 days. It will automatically be closed after 7 more days. Remove the stale label to prevent this.
Apologies. This issue should not have been closed.
@martin-helmich thanks!