search

aws-observability / helm-charts

The AWS Observability Helm Charts repository contains Helm charts to provide easy mechanisms to setup the CloudWatch Agent and other collection agents to collect telemetry data such as metrics, logs and traces to send to AWS monitoring services.
Apache License 2.0
9 stars 17 forks source link

least privilege clusterRole #77

Open shiron-babi opened 3 months ago

shiron-babi commented 3 months ago

The operator manager cluster role seems to have very permissive permissions. Mainly the first part seems something that should be defined differently.

- apiGroups: [ "" ]
  resources: [ "configmaps" ]
  verbs: [ "create", "delete", "get", "list", "patch", "update", "watch" ]
- apiGroups: [ "" ]
  resources: [ "events" ]
  verbs: [ "create", "patch" ]
- apiGroups: [ "" ]
  resources: [ "namespaces" ]
  verbs: [ "get","list","patch","update","watch" ]
- apiGroups: [ "" ]
  resources: [ "serviceaccounts" ]
  verbs: [ "create","delete","get","list","patch","update","watch" ]
- apiGroups: [ "" ]
  resources: [ "services" ]
  verbs: [ "create","delete","get","list","patch","update","watch" ]
- apiGroups: [ "apps" ]
  resources: [ "daemonsets" ]
  verbs: [ "create","delete","get","list","patch","update","watch" ]
- apiGroups: [ "apps" ]
  resources: [ "deployments" ]
  verbs: [ "create","delete","get","list","patch","update","watch" ]

Is this configuration legitimate, and is it really needed?