prometheus-adapter icon indicating copy to clipboard operation
prometheus-adapter copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

Query about minimum permission required by -server-resources cluster role

Open ytizhang opened this issue 1 year ago • 2 comments

While doing security review of our clusters, we found wildcard permission used in a prometheus-adapter cluster role. This violates the principle of least privilege. The ask is to provide the minimum permission needed by this cluster role (list the specific verbs and resources instead of using wildcard). For now, we can probably try to override it on our side once we have this info. But it'd be good to have this change in the future releases so we always have the updated permission.

Chart version: 3.4.2 App version: v0.10.0 The cluster role with wildcard permission (extracted from the helm chart):

{{- if and .Values.rbac.create (or .Values.rules.default .Values.rules.custom) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  {{- if .Values.customAnnotations }}
  annotations:
  {{- toYaml .Values.customAnnotations | nindent 4 }}
  {{- end }}
  labels:
    {{- include "k8s-prometheus-adapter.labels" . | indent 4 }}
  name: {{ template "k8s-prometheus-adapter.name" . }}-server-resources
rules:
- apiGroups:
  - custom.metrics.k8s.io
  resources: ["*"]
  verbs: ["*"]
{{- end -}}

ytizhang avatar Nov 14 '23 22:11 ytizhang

/triage accepted /kind support /assign

dgrisonnet avatar Nov 16 '23 17:11 dgrisonnet

Hi @dgrisonnet is there any updates on this? Thanks

ytizhang avatar Jan 16 '24 21:01 ytizhang