You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The bug is that the Deployment chaosblade-operator in the charts has too much RBAC permission than it needs. The service account of chaosblade-operator is bound to a clusterrole (rbac.yaml) with the following permissions:
create/delete/patch/update verb of the deployments/daemonsets/pods resource (ClusterRole)
After reading the source code of chaosblade-operator, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if a malicious user gains control of a Kubernetes node running a chaosblade-operator pod, they can use the "create deployment" permission to create privileged containers with malicious container images.
Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or or other feasible methods.
How to reproduce it
Use the helm chart with default values.
The text was updated successfully, but these errors were encountered:
Description
The bug is that the Deployment
chaosblade-operatorin the charts has too much RBAC permission than it needs. The service account ofchaosblade-operatoris bound to a clusterrole (rbac.yaml) with the following permissions:deployments/daemonsets/podsresource (ClusterRole)After reading the source code of chaosblade-operator, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if a malicious user gains control of a Kubernetes node running a
chaosblade-operatorpod, they can use the "create deployment" permission to create privileged containers with malicious container images.Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or or other feasible methods.
How to reproduce it
Use the helm chart with default values.
The text was updated successfully, but these errors were encountered: