oracle
RBAC is WAY to permissive
The operator cluster role grants access to a lot of resources/verbs cluster-wide, and I cannot imagine all these permissions are required to operate:
https://github.com/oracle/oracle-database-operator/blob/bb344e4dee6ae72e5132f55e15ca4deb55557e71/oracle-database-operator.yaml#L2528-L2690
In particular, CRUD on nodes and namespaces should NOT be required, making the operator an elevated component if installed like this. You should do a massive cleanup of the RBAC!
Also should make work in a non root k8s container.
I agree, but that is worth a separate issue. Do you mind opening one, @djjeffr?
@erikgb Thanks for highlighting this. Though this fix is requires at operator level, I am wondering in general which controller you are testing?
Certainly yes, CRUD related to nodes will be removed.
Also should make work in a non root k8s container.
Did you open the new issue thread on this? If yes, please let me know the details so that I can review the exact issue.
@psaini79 thanks for the feedback! What took you so long? 😉 We would appreciate if the RBAC granted to the operator was least-privilege based: only grant required permissions. CRUD to nodes is probably the worst, but I think there is a lot more that can be removed from the list of permissions.
About containers running as root, @djjeffr opened https://github.com/oracle/oracle-database-operator/issues/74. I will add some more details to that issue, but again it's all about least-privilege. It's particularly important to support OpenShift - since OpenShift requires additional configuration (SCC) to allow containers to run as root.
@erikgb Sure, CRUD to the nodes level will be removed. I am reviewing it internally and will update the roles and privs accordingly.