kube-state-metrics icon indicating copy to clipboard operation
kube-state-metrics copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Why do kube-state-metrics clusterrole need access to list,watch all secrets at cluster scope?

Open dsai1 opened this issue 1 year ago • 2 comments

An issue was raised by our security team saying the existing kube-state-metrics cluster role has access to all secrets.

Below is the AVD-KSV-0041, which is blocking our pipeline as part of trivy checks.

Can we restrict access to specified secrets?

dsai1 avatar Feb 14 '24 12:02 dsai1

It collects secret metrics.

Can we restrict access to specified secrets?

You can remove this permission if don't need secret metrics.

CatherineF-dev avatar Feb 15 '24 17:02 CatherineF-dev

/assign @CatherineF-dev /triage accepted

dashpole avatar Feb 22 '24 17:02 dashpole

  1. drop secret related metrics using allowlist/denylist https://github.com/kubernetes/kube-state-metrics/blob/main/docs/cli-arguments.md

  2. remove secret permission

Do you have other questions? If not, will close

CatherineF-dev avatar Mar 02 '24 14:03 CatherineF-dev

/close

CatherineF-dev avatar Mar 19 '24 02:03 CatherineF-dev

@CatherineF-dev: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Mar 19 '24 02:03 k8s-ci-robot