tektoncd/operator

GKE dashboard complains on `Potentially insecure RBAC configurations ` for tekton operator release v0.69.1

zhaohua-jiang opened this issue · 1 comments

Expected Behavior

No such security warnings after installed tekton operator in GKE cluster.

Actual Behavior

GKE dashboard displayed following warning message:

image

the security bulletin link in ☝️ picture is: https://cloud.google.com/anthos/clusters/docs/security-bulletins?&_ga=2.128984265.-452443447.1705546487#gcp-2024-003

Steps to Reproduce the Problem

  1. Install tekton operator release on a GKE cluster
  2. GKE dashboard will display ☝️ warning messages

Additional Info

  • Kubernetes version:
Client Version: v1.28.4
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.3-gke.1203001
  • Tekton Pipeline version:
% tkn version

Client version: 0.34.0
Chains version: v0.19.0
Pipeline version: v0.53.3
Triggers version: v0.25.3
Dashboard version: v0.41.0
Operator version: v0.69.1

Executed following commands according to the GKE security guide (https://cloud.google.com/kubernetes-engine/docs/best-practices/rbac?&_ga=2.131869514.-452443447.1705546487#default-roles-groups ) to list the names of any ClusterRoleBindings with the subject system:anonymous, system:unauthenticated, or system:authenticated:

kubectl get rolebindings -A -o json \
    | jq -r '["Namespace", "Name"], ["---------", "-----"], (.items[] | select((.subjects | length) > 0) | select(any(.subjects[]; .name == "system:anonymous" or .name == "system:unauthenticated" or .name == "system:authenticated")) | [.metadata.namespace, .metadata.name]) | @tsv'
Namespace	Name
---------	-----
tekton-operator	tekton-operator-info
tekton-pipelines	tekton-chains-info
tekton-pipelines	tekton-dashboard-info
tekton-pipelines	tekton-pipelines-info
tekton-pipelines	tekton-triggers-info