Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explicit definition of Kubernetes permissions for Helm Connector #352

Open
Dan-Rediske opened this issue Jun 26, 2024 · 0 comments
Open

Comments

@Dan-Rediske
Copy link

Per documentation and FAQ - https://docs.wiz.io/wiz-docs/docs/kubernetes-req-perm-api?lng=en

Required permissions are much more limited in scope than the used definition:
https://github.com/wiz-sec/charts/blob/master/wiz-kubernetes-connector/templates/service-account-cluster-reader.yaml#L39

Using the permissions at this level for ease of engineering release is not in alignment with least permissions, which we should expect from a security tool with global visibility.

Customers should not need to grant "get, watch" permissions for all ApiGroups and Resources for one resource that uses the Get verb and none which are reported to use the Watch verb. Future functionality is not a reason for over-provisioning of permissions. (Something that the Wiz platform would flag in other portions of cloud infrastructure.)

In the event of malicious access/poisioning of the Wiz connector - this reduced scope should limit the damage possible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant