GKE dashboard complains on `Potentially insecure RBAC configurations ` for tekton operator release v0.69.1
zhaohua-jiang opened this issue · 1 comments
zhaohua-jiang commented
Expected Behavior
No such security warnings after installed tekton operator in GKE cluster.
Actual Behavior
GKE dashboard displayed following warning message:
the security bulletin link in ☝️ picture is: https://cloud.google.com/anthos/clusters/docs/security-bulletins?&_ga=2.128984265.-452443447.1705546487#gcp-2024-003
Steps to Reproduce the Problem
- Install tekton operator release on a GKE cluster
- GKE dashboard will display ☝️ warning messages
Additional Info
- Kubernetes version:
Client Version: v1.28.4
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.3-gke.1203001
- Tekton Pipeline version:
% tkn version
Client version: 0.34.0
Chains version: v0.19.0
Pipeline version: v0.53.3
Triggers version: v0.25.3
Dashboard version: v0.41.0
Operator version: v0.69.1
Executed following commands according to the GKE security guide (https://cloud.google.com/kubernetes-engine/docs/best-practices/rbac?&_ga=2.131869514.-452443447.1705546487#default-roles-groups ) to list the names of any ClusterRoleBindings with the subject system:anonymous, system:unauthenticated, or system:authenticated:
kubectl get rolebindings -A -o json \
| jq -r '["Namespace", "Name"], ["---------", "-----"], (.items[] | select((.subjects | length) > 0) | select(any(.subjects[]; .name == "system:anonymous" or .name == "system:unauthenticated" or .name == "system:authenticated")) | [.metadata.namespace, .metadata.name]) | @tsv'
Namespace Name
--------- -----
tekton-operator tekton-operator-info
tekton-pipelines tekton-chains-info
tekton-pipelines tekton-dashboard-info
tekton-pipelines tekton-pipelines-info
tekton-pipelines tekton-triggers-info
AlanGreene commented