Improper k8s RBAC API Groups #373
Assignees
Comments
hlebkanonik
added a commit
that referenced
this issue
Jul 10, 2024
|
Improvements have been made to the develop branch. The release will be coming soon. |
raikbitters
added a commit
that referenced
this issue
Aug 16, 2024
* Update chart version and image versions * Allow parametrization of DB password key * Global Values & Custom RBAC (#401) * Image registry as global parameter #389 * Improper k8s RBAC API Groups #373 * Update RabbitMQ plugin set (#403) * Update AMQP settings in api-deployment.yaml * Add pre-upgrade hook (#407) * Update analyzer images (#410) --------- Co-authored-by: piotr-smietana-kaseya <piotr.smietana@kaseya.com> Co-authored-by: Hleb Kanonik <hleb_kanonik@epam.com> Co-authored-by: millerick <michael.millerick@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the authorization role that is set up in the template the rules section uses a single rule that applies across multiple api groups ("" and batch). This results in some invalid combinations like requesting "get" on "pods" in api group "batch".
Our build system uses a service account which isn't granted these invalid permissions and this causes the install of the helm chart to fail with log entries such as:
`... is attempting to grant RBAC permissions not currently held:
{APIGroups:[""], Resources:["jobs"], Verbs:["get" "list" "watch"]}
{APIGroups:["batch"], Resources:["pods"], Verbs:["get" "list" "watch"]}
{APIGroups:["batch"], Resources:["services"], Verbs:["get" "list" "watch"]}`
Please break this single rule into multiple rules so it will not result in invalid combinations.
The text was updated successfully, but these errors were encountered: