[Summer OSPP 2024] Karmada Component RBAC Privilege Minimization

[zhzhuang-zju]

What would you like to be added: Karmada (Kubernetes Armada) is a Kubernetes management system that enables you to run cloud-native applications in multiple Kubernetes clusters and cloud platforms without changing the application. By using Kubernetes native APIs and providing advanced scheduling capabilities, Karmada implements truly open, multi-cloud Kubernetes.

Karmada project uses RBAC authentication to regulate control access to computer or network resources. If too much resource object access is assigned when configuring RBAC it can lead to privilege abuse to the point where an attacker extends the battle and penetrates the cluster. If too little access to resource objects is assigned when configuring RBAC, it can lead to component functionality anomalies.

Therefore, we plan to sort out the minimum set of RBAC permissions required for Karmada components, amend the current recommended RBAC configuration for Karmada bins to be in line with the RBAC Least Privilege Principle, and ultimately use it to guide Karmada users in configuring RBAC permissions for Karmada components.

Project link https://summer-ospp.ac.cn/org/prodetail/245c40153?list=org&navpage=org

Parts of https://github.com/karmada-io/karmada/issues/4879

tasks

• karmada-operator
  • [x] helm installation (@B1F030 #5586)
  • [x] source code installation (@B1F030 #5586)
• karmada-agent
  • [ ] source code installation (@B1F030 #5629)

website:

• [ ] docs for karmada components-rbac(English) (@B1F030 https://github.com/karmada-io/website/pull/696)
• [ ] docs for karmada components-rbac(Chinese) (@B1F030 https://github.com/karmada-io/website/pull/695)

OutPuts A Guidance Document: Karmada Component Minimum RBAC Privilege Set Function Implementation: Karmada Component RBAC Privilege Minimization Test Coverage: Writing test cases to cover the added functionality