search

NetApp / trident

Storage orchestrator for containers
Apache License 2.0
762 stars 222 forks source link

Duplicate RBAC entries for the `namespaces` resource #837

Closed lindhe closed 3 weeks ago

lindhe commented 1 year ago

Describe the bug There exists duplicate entries for the namespace resource in the trident-operator ClusterRole:

https://github.com/NetApp/trident/blob/ee2d9743551c82635d411da878389ffbd9f5f655/helm/trident-operator/templates/clusterrole.yaml#L10-L16

https://github.com/NetApp/trident/blob/ee2d9743551c82635d411da878389ffbd9f5f655/helm/trident-operator/templates/clusterrole.yaml#L244-L250

This makes it harder than necessary to review what permissions are granted to the application.

Expected behavior

Instead of having one rule for get and list and one rule for create and patch, I would have expected there to be only one rule for all four verbs:

 - apiGroups: 
     - "" 
   resources: 
     - namespaces 
   verbs:
     - get
     - list
     - create 
     - patch

Additional context

Note that there are other rules which may seem to also be duplicates, like podsecuritypolicies and securitycontextconstraints. These, however, do actually differ since they have specified resourceNames for each "duplicate" entry!

clintonk commented 3 weeks ago

This is intentional and not a bug. The operator RBAC must be a superset of the Trident RBAC, and it highlights that by having 2 sections of rules, one that duplicates Trident and one that layers on the extra privileges that the operator requires.