Reduce RBAC permissions for the various components #3040
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tpantelis
requested review from
Oats87,
skitt,
sridhargaddam and
vthapar
as code owners
|
🤖 Created branch: z_pr3040/tpantelis/reduce_rbac |
aswinsuryan
approved these changes
May 2, 2024
skitt
requested changes
May 2, 2024
kaaass
approved these changes
May 3, 2024
- Remove Role wildcard access to "pods" - only "get" and "list" access is needed which is provided by the ClusterRole. - "services" are created for metrics so reduce Role access accordingly - The operator does not access "endpoints", "persistentvolumeclaims", "events", "replicasets" or "statefulsets" so remove access. - Reduce access to "deployments", "daemonsets" and "submariner.io" resources to only what's needed and remove wildcard access. Signed-off-by: Tom Pantelis <[email protected]>
- The following resources are not accessed at all so remove permissions: - "services" - "endpoints" - "events" - "configmaps" - "deployments" - "daemonsets" - "replicasets" - "statefulsets" - "customresourcedefinitions", - "operator.openshift.io/dnses" - "config.openshift.io/networks" - "monitoring.coreos.com/servicemonitors" - The gateway pod is annotated - it only needs "get" and "update" access - Remove wildcard access to "submariner.io" resources and specify exactly what's needed. - Reduce "configmaps" access to just "get". Signed-off-by: Tom Pantelis <[email protected]>
- The following resources are not accessed so remove permissions: - "services" - "endpoints" - "events" - "deployments" - "daemonsets" - "replicasets" - "statefulsets" - "customresourcedefinitions", - "operator.openshift.io/dnses" - "monitoring.coreos.com/servicemonitors" - Reduce access to "pods", "services", "secrets", "configmaps", and "endpoints" to "get" and "list" - Remove wildcard access to "submariner.io" resources and specify exactly what's needed. Signed-off-by: Tom Pantelis <[email protected]>
- The following resources are not accessed at all so remove permissions: - "services" - "endpoints" - "persistentvolumeclaims" - "events" - "configmaps" - "secrets" - "deployments" - "daemonsets" - "replicasets" - "statefulsets" - "namespaces" - "monitoring.coreos.com/servicemonitors" - Reduce "pods" access to only "get", "list", "watch" Signed-off-by: Tom Pantelis <[email protected]>
- Remove "update" access to "services", "namespaces" and "endpoints". - Remove wildcard access to "multicluster.x-k8s.io" resources and specify exactly what's needed. Signed-off-by: Tom Pantelis <[email protected]>
- The following resources are not accessed so remove permissions: - "services" - "endpoints" - "namespaces" - Reduce "endpointslices" access to "get", "list", and "watch" Signed-off-by: Tom Pantelis <[email protected]>
Signed-off-by: Tom Pantelis <[email protected]>
skitt
requested changes
May 6, 2024
There was a problem hiding this comment.
Requesting changes just to make sure the Admiral import is updated to match the merged commit after submariner-io/admiral#905 goes in.
go.mod
Outdated
| @@ -13,7 +13,7 @@ require ( | |||
| github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.73.2 | |||
| github.com/prometheus-operator/prometheus-operator/pkg/client v0.73.2 | |||
| github.com/prometheus/client_golang v1.19.0 | |||
| github.com/submariner-io/admiral v0.18.0-m3 | |||
| github.com/submariner-io/admiral v0.18.0-m3.0.20240504143439-22ee51817b45 | |||
There was a problem hiding this comment.
This will need to be updated once submariner-io/admiral#905 is merged.
This was referenced May 6, 2024
tpantelis
added a commit
to tpantelis/submariner-website
that referenced
this pull request
May 6, 2024
Release notes for submariner-io/submariner-operator#3040 Signed-off-by: Tom Pantelis <[email protected]>
We grant namespace read permissions which is only needed to query for the existence of the "openshift-monitoring" namespace to determine where to create ServiceMonitors. However we can eliminate this query and thus the permissions by trying to create ServiceMonitors in the "openshift-monitoring" namespace and, if the error indicates the namespace is missing, create in the provided namespace. Signed-off-by: Tom Pantelis <[email protected]>
This resource type is only used for network settings discovery to query the "cluster" Network so restrict the RBAC to only "get" access to the "cluster" resource name. This applies to both the submariner-operator: https://github.com/submariner-io/submariner/blob/85fea596f30b0e84d6962c92bb129a6b8bce8028/pkg/routeagent_driver/handlers/ovn/connection.go#L358 and route-agent components: https://github.com/submariner-io/submariner/blob/85fea596f30b0e84d6962c92bb129a6b8bce8028/pkg/routeagent_driver/handlers/ovn/connection.go#L358 Signed-off-by: Tom Pantelis <[email protected]>
These were added for network-plugin syncer removal so retrict the delete permissions to the networkplugin-syncer resource names. Signed-off-by: Tom Pantelis <[email protected]>
Done |
|
This PR/issue depends on:
|
skitt
approved these changes
May 6, 2024
dfarrell07
approved these changes
May 6, 2024
|
🤖 Closed branches: [z_pr3040/tpantelis/reduce_rbac] |
skitt
pushed a commit
to submariner-io/submariner-website
that referenced
this pull request
May 6, 2024
Release notes for submariner-io/submariner-operator#3040 Signed-off-by: Tom Pantelis <[email protected]>
tpantelis
added a commit
to tpantelis/submariner-website
that referenced
this pull request
Jul 8, 2024
Release notes for submariner-io/submariner-operator#3040 Signed-off-by: Tom Pantelis <[email protected]>
tpantelis
added a commit
to submariner-io/submariner-website
that referenced
this pull request
Jul 9, 2024
Release notes for submariner-io/submariner-operator#3040 Signed-off-by: Tom Pantelis <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
A recent post to the submariner-security outlined potential vulnerabilities regarding submariner's RBAC permissions being too broad:
In addition, many permissions aren't even used/needed. Also specifying a wildcard for resources and verbs is not best practice - Sonar flags this.
The intent of this PR is to reduce the permissions to only what's needed. See individual commits for details.
Note that for these changes to actually be applied requires updating and rebuilding subctl. However, I mirrored the changes in submariner-io/submariner-charts#508 and the E2E in the submariner-charts repo directly tests the changes in the PR. So we can be pretty confident the changes are accurate.
Fixes #3041
Depends on submariner-io/admiral#905