To prevent privilege escalations, we had limited RBACSyncConfig to only reference roles. However, there are valid use cases in which a user may want to bind a namespaced group or user to a ClusterRole. We have decided to support the full abilities documented in https://kubernetes.io/docs/reference/access-authn-authz/rbac/.
This ticket will likely only need the removal of a validation and include some additional test cases.
stevvooe
commented
5 years ago
To prevent privilege escalations, we had limited RBACSyncConfig to only reference roles. However, there are valid use cases in which a user may want to bind a namespaced group or user to a ClusterRole. We have decided to support the full abilities documented in https://kubernetes.io/docs/reference/access-authn-authz/rbac/.
This ticket will likely only need the removal of a validation and include some additional test cases.