search

gocrane / crane

Crane is a FinOps Platform for Cloud Resource Analytics and Economics in Kubernetes clusters. The goal is not only to help users to manage cloud cost easier but also ensure the quality of applications.
https://gocrane.io
Apache License 2.0
1.87k stars 380 forks source link

Optimization: convergence craned permissions #887

Closed pmsl closed 8 months ago

pmsl commented 8 months ago

Describe the bug

Intruders may use this permission to modify the workload's spec

https://github.com/gocrane/crane/blob/main/deploy/craned/rbac.yaml#L75

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: craned
rules:
......
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - get
  - list
  - watch
  - update

Reproduce steps

Expected behavior

Screenshots

Environment (please complete the following information):