The bug is that the Deployment event-generator in the charts has too much RBAC permission than it needs. The service account of event-generator is bound to a clusterrole (rbac.yaml#L11) with the following permissions:
create/delete verb of the deployments/pods/services resource (ClusterRole)
get verb of the secrets resource (ClusterRole)
After reading the source code of event-generator, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running an event-generator pod, they can use the "create deployment" permission to create privileged containers with malicious container images.
Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or or other feasible methods.
Description
The bug is that the Deployment
event-generatorin the charts has too much RBAC permission than it needs. The service account of event-generator is bound to a clusterrole (rbac.yaml#L11) with the following permissions:create/deleteverb of thedeployments/pods/servicesresource (ClusterRole)getverb of thesecretsresource (ClusterRole)After reading the source code of event-generator, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running an
event-generatorpod, they can use the "create deployment" permission to create privileged containers with malicious container images.Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or or other feasible methods.
To Reproduce
Use helm chart with default values.