disk-autoscaler icon indicating copy to clipboard operation
disk-autoscaler copied to clipboard

Published 20 hours ago verified publisher icon kubecost

[Feature] Restrict Pod create and `/exec` permissions

Open chipzoller opened this issue 1 year ago • 1 comments

Problem Statement

RBAC permissions are still unnecessarily wide today in that pods and pod/exec are granted too broadly. This isn't necessary as the only Pod which needs to be created and exec'd into is the datamover Pod.

Solution Description

Reduce RBAC permissions for Pod creation and /exec subresource to only the datamover Pod.

Alternatives

No response

Additional Context

No response

Troubleshooting

  • [X] I have searched other issues in this repository and mine is not recorded.

chipzoller avatar May 21 '24 00:05 chipzoller

Because of a combination of the need to support concurrent resizing operations across the cluster (both inter- and intra-namespace), and therefore the need to bring up Pods with dynamic names, coupled with the fact that resourceNames in RBAC rules[] does not support wildcards or regex, this may not be possible to do. Best we may be able to do here is pass a config option to tell DAS to only perform resizes serially and therefore be able to use a Pod with a static name thereby allowing more restrictive RBAC.

chipzoller avatar May 22 '24 13:05 chipzoller