Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove wildcard usage in kube builder annotations #595

Closed
adrianchiris opened this issue Sep 4, 2023 · 2 comments · Fixed by #596
Closed

Remove wildcard usage in kube builder annotations #595

adrianchiris opened this issue Sep 4, 2023 · 2 comments · Fixed by #596
Labels
bug Something isn't working priority-low A low priority issue

Comments

@adrianchiris
Copy link
Collaborator

we got wildcards set in the following reconcilers:

network-operator/controllers/ipoibnetwork_controller.go

Line 53 in 84f986f

// +kubebuilder:rbac:groups=mellanox.com,resources=*,verbs=get;list;watch;create;update;patch;delete

network-operator/controllers/macvlannetwork_controller.go

Line 55 in 84f986f

// +kubebuilder:rbac:groups=mellanox.com,resources=*,verbs=get;list;watch;create;update;patch;delete

network-operator/controllers/nicclusterpolicy_controller.go

Line 58 in 84f986f

// +kubebuilder:rbac:groups=mellanox.com,resources=*,verbs=get;list;watch;create;update;patch;delete

hostdevice controller seems to be the only saint who doesnt use wildecards :)

we should use explicit resources for better security.

From looking over, it seems safe to me to remove the relevant lines from macvlan and ipoib reconcilers
in nicclusterpolicy reconciler we should set nicclusterpolicies resource explicitly.
@adrianchiris adrianchiris added enhancement New feature or request bug Something isn't working priority-low A low priority issue and removed enhancement New feature or request labels Sep 4, 2023
@adrianchiris adrianchiris mentioned this issue Sep 6, 2023
Merged
@rollandf
Copy link
Member

Helm template for role should be aligned the same

@rollandf rollandf reopened this Sep 18, 2023
@rollandf
Copy link
Member

rollandf commented Oct 2, 2023

FIxed in #605

@rollandf rollandf closed this as completed Oct 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working priority-low A low priority issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Tighten up controller roles adrianchiris/network-operator
2 participants
@rollandf @adrianchiris