search

eraser-dev / eraser

🧹 Cleaning up images from Kubernetes nodes
https://eraser-dev.github.io/eraser/
Apache License 2.0
477 stars 61 forks source link

[BUG] Unnecessary permissions #1036

Open Yseona opened 3 months ago

Yseona commented 3 months ago

Version of Eraser

1.3.1

Expected Behavior

The Deployment eraser-controller-manager in the charts has delete verb of the pods resource (eraser-manager-role-clusterrole.yaml). However, after reading the source code of eraser, I didn't find any Kubernetes API usages that require this permission.Therefore, for security reasons, I suggest checking this permission to determine if it is truly unnecessary. If it is, the issue should be fixed by removing the unnecessary permission or other feasible methods.

Actual Behavior

No response

Steps To Reproduce

Use helm chart with default values.

Are you willing to submit PRs to contribute to this bug fix?

ashnamehrotra commented 2 months ago

Hi @Yseona thank you for raising this! Pod permissions were removed in #956. Since this was cherry-picked into v1.3.0 for a v1.3.1 patch release, the changes from manifest_staging/charts/.. were not reflected into charts/.... This will be fixed in the next minor release.

cc @sozercan