charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon kedacore

Incomplete restrict secret permissions description

Open joebowbeer opened this issue 1 year ago • 1 comments

The existing documentation for restricting secret access is misleading, as it implies that access to secrets can be (completely) restricted by enabling secret permission restrictions for keda-operator and metricServer.

In addition to improving the documentation, it would be helpful if the docs explained how to update the helm chart in order to completely restrict access.

I installed the KEDA helm chart v2.13.1 with all secret restrictions enabled

  permissions:
    operator:
      restrict:
        secret: true
    metricServer:
      restrict:
        secret: true

but keda-operator still has "get" access to all secrets by way of a different rule in the keda-operator ClusterRole:

- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get

Discussion: https://github.com/kedacore/keda/discussions/4730

Related: https://github.com/kedacore/keda-docs/issues/1307

Expected Behavior

kubectl auth can-i get secrets --as=system:serviceaccount:keda:keda-operator
no

Actual Behavior

kubectl auth can-i get secrets --as=system:serviceaccount:keda:keda-operator
yes

Steps to Reproduce the Problem

  1. Install KEDA helm chart
  2. Enable secret restrictions for keda-operator and metricServer
  3. Run kubectl auth can-i get secrets

Specifications

  • KEDA Version: 2.13.0

joebowbeer avatar Feb 07 '24 00:02 joebowbeer

Let's discuss the topic in the docs repo issue to not duplicate the threads: https://github.com/kedacore/keda-docs/issues/1307

JorTurFer avatar Feb 07 '24 00:02 JorTurFer