Open bsamsom opened 7 months ago
The trident helm chart grants the trident-operator service account access to every secret in kuberentes.
trident-operator
This is because it uses a ClusterRole with no resourceNames. https://github.com/NetApp/trident/blob/master/helm/trident-operator/templates/clusterrole.yaml#L60-L71
ClusterRole
resourceNames
For better security the helm chart should either use a Role and restrict the secret access to a singular namespace, or set resourceNames to the secrets it need access to, so that the service account only has access to the secrets it needs.
Role
singular namespace
The trident helm chart grants the
trident-operatorservice account access to every secret in kuberentes.This is because it uses a
ClusterRolewith noresourceNames. https://github.com/NetApp/trident/blob/master/helm/trident-operator/templates/clusterrole.yaml#L60-L71For better security the helm chart should either use a
Roleand restrict the secret access to asingular namespace, or setresourceNamesto the secrets it need access to, so that the service account only has access to the secrets it needs.