kustomize-controller
kustomize-controller copied to clipboard
fluxcd
Add pre-check(s) on ServiceAccount impersonation
What
This issue tracks the improvement proposal to check the existence of the ServiceAccount of which the User would be then impersonated during reconciliation.
Why
The ImpersonationConfig is set with the related SA's User system:serviceaccount:<namespace>:<name> even if the service account does not exist in the specified Namespace, which is i.e. the Kustomization's one.
Then, the APIServer answers with forbidden for missing privileges on a User related to a non-existent SA. This can be misleading for the end-user to understand the actual motivation of the reconciliation failure.
This use case comes from a test against attempt of privilege escalation here.
When
The issue happens when a KubeConfig has been specified on the Kustomizaton. To be tested when a kubeconfig is not specified on Kustomizations.
More info
Kubernetes versions:
Client Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.1", GitCommit:"3ddd0f45aa91e2f30c70734b175631bec5b5825a", GitTreeState:"archive", BuildDate:"2022-05-27T18:33:09Z", GoVersion:"go1.18.2", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.4
Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.4", GitCommit:"e6c093d87ea4cbb530a7b2ae91e54c0842d8308a", GitTreeState:"clean", BuildDate:"2022-03-06T21:32:53Z", GoVersion:"go1.17.7", Compiler:"gc", Platform:"linux/amd64"}
