Debugger Chen
Debugger Chen
Currently the namespace-scoped CR StorageCluster may create clusterrolebindings upon namespace-scoped user's requests, enabling privilege escalation for such users. Perhaps we can leverage webhook to authorize user permissions for better security.
Currently the ReplicationSecrets may allow namespace-scoped users to access secrets in unauthorized namespaces. Should we add some Webhook/CEL to check whether users have permissions in another namespace?
Currently the namespace-scoped NifiCluster can reference secret in other namespaces, which may enable a namespace-scoped user to access secrets in his unauthorized namespaces. Perhaps we can leverage webhook/cel to authorize...
Currently the Operator can reference secrets in other namespaces via secretRef, which may enable namespace-scoped users to access secrets in their unauthorized namespaces. Perhaps it's better to limit reference in...
Dear developers, I am writing to express a security concern regarding the security practice of this Operator. To avoid disclosing sensitive details here, we'd prefer to share more information privately....
添加Upnp支持 #420 #815 #1271 在STUN测试和UDP Hole Punching时将自动尝试映射EasyTier的相关端口 对于WAN/ISP支持Full Cone NAT,LAN不支持Full Cone NAT但支持Upnp的情形,本PR有助于实现P2P直连 谢谢 顺祝中秋快乐
It seems that schemahero can reference serviceaccount/secret in other namespaces, which may enable namespace-scoped k8s user to gain illegal access. Perhaps it's better to add webhook and authorize k8s users...
Currently, all core CRD related to Operator installations are namespace-scoped. Thus, a namespace-scoped user may deploy an Operator with ClusterRoleBinding via olm, and then ClusterRoleBinding will be granted to his...
The Terraform CRD can reference many kinds of credentials in other namespaces, which may be a security risk, as a namespace-scoped user can leverage this to access unauthorized secrets. Perhaps...