Do not use `cluster-admin` for LDAP group sync

appuio / component-openshift4-authentication

Commodore component to manage authentication on OpenShift 4

BSD 3-Clause "New" or "Revised" License

2 stars 0 forks source link

Do not use `cluster-admin` for LDAP group sync #3

Closed corvus-ch closed 4 years ago

corvus-ch commented 4 years ago

The implementation in #1 uses the role cluster-admin to give permission for the LDAP group sync. This is probably too much power.

Find the minimal required permission and use them instead of role clsuter-admin.

srueg commented 4 years ago

The docs explicitly state to use the cluster-admin role:

You must have cluster-admin privileges to sync groups.

https://docs.openshift.com/container-platform/4.4/authentication/ldap-syncing.html

Which kind of makes sense since adapting groups and users essentially grants cluster-admin anyways since one could add his user to a cluster-admin group anyways. I'd propose to close this as "won't do".

tobru commented 4 years ago

I agree.