Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(argo-workflows): Remove excessive wf controller RBAC permissions #3044

Merged
merged 1 commit into from
Nov 21, 2024

Conversation

tico24
Copy link
Member

@tico24 tico24 commented Nov 21, 2024

The deleted privileges were used by the k8sapi Executor in older Argo Workflows versions <=3.3 when selected. In versions >=3.4, only the Emissary Executor is available, and it does not use any forms of elevated privileges. See also a summary of the Executors in an older version of the docs: https://argo-workflows.readthedocs.io/en/release-3.4/workflow-executors/.

Checklist:

  • I have bumped the chart version according to versioning
  • I have updated the documentation according to documentation
  • I have updated the chart changelog with all the changes that come with this pull request according to changelog.
  • Any new values are backwards compatible and/or have sensible default.
  • I have signed off all my commits as required by DCO.
  • My build is green (troubleshooting builds).

Signed-off-by: Tim Collins <tim@thecollins.team>
@tico24 tico24 marked this pull request as ready for review November 21, 2024 08:53
@tico24 tico24 merged commit 81dc44c into main Nov 21, 2024
8 checks passed
@tico24 tico24 deleted the rm-excessive-rbac-permissions branch November 21, 2024 08:58
@vladlosev
Copy link
Collaborator

vladlosev commented Nov 21, 2024

So which version of Argo Workflows do we support? This change will break any versions < 3.4, as they need the pod permissions.

@tico24
Copy link
Member Author

tico24 commented Nov 21, 2024

We have only ever supported the latest of each product. So workflows 3.6.0

@agilgur5
Copy link

agilgur5 commented Nov 23, 2024

For reference, this resolves the now public GHSA-fgrf-2886-4q7m (and the description seems to heavily copy from there as well) aka CVE-2024-52799

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants