Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Restrict secrets access to namespace #702

Open
ghost opened this issue Jan 18, 2024 · 3 comments
Open

[FEATURE] Restrict secrets access to namespace #702

ghost opened this issue Jan 18, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@ghost
Copy link

ghost commented Jan 18, 2024

Is your feature request related to a problem?

Currently, ClusterRoleBindings are used to attach the ClusterRole to the service account created in the Helm Chart. Read access to the secrets API is configured in the ClusterRole. This allows a potential attacker to read secrets from all namespaces in the Kubernetes cluster.

What solution would you like?

Instead of a ClusterRoleBinding, a RoleBinding should be used to only allow access to secrets in the namespace.

What alternatives have you considered?

NONE

Do you have any additional context?

We found the same issue in the kube-prometheus-stack helm chart. Steps to reproduce the issue can be found there:
prometheus-community/helm-charts#4156
@ghost ghost added enhancement New feature or request untriaged Issues that have not yet been triaged labels Jan 18, 2024
@bbung
Copy link

bbung commented Feb 21, 2024

This also prevents us from using the operator. Our security guidelines prevent us from using external components that get cluster-wide secret access.

@salyh salyh removed the untriaged Issues that have not yet been triaged label Mar 28, 2024
@salyh
Copy link
Collaborator

salyh commented Mar 28, 2024

This would absolutely make sense. Thank you for your contribution.

I guess such a change would be a breaking change? Wdyt? @zaljic @bbung
@idanl21 @dbason @swoehrl-mw @prudhvigodithi @jochenkressin @pchmielnik

@swoehrl-mw
Copy link
Collaborator

Not sure if the access can actually be restricted. By default the operator runs cluster-wide, so needs access to resources in all namespaces.
Maybe an optional deployment mode in the helm chart which restricts the operator to just one namespace (there is some discussion about this in #584), then it would also not be a breaking change if the default remains the current cluster-wide mode.

@nilushancosta nilushancosta mentioned this issue May 30, 2024
Closed
@getsaurabh02 getsaurabh02 moved this from 🆕 New to Backlog in Engineering Effectiveness Board Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
Engineering Effectiveness Board
Status: 📦 Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bbung @salyh @swoehrl-mw