[GRAFANA] Why give a ClusterRole by default ?

[LeoFVO]

Hello, I was wondering, why does Grafana have a ClusterRole allowing him to get/list Secrets and ConfigMap ?

This could be unsafe in case of compromising, allowing the ServiceAccount to grab all cluster Secrets and ConfigMap.

What is your opinion on this ?

[alita1991]

Hi, I have the same question, if I plan to run Grafana without a ClusterRole, what limitations will I encounter?

[gillg]

@zalegrala or any core members ? Any opinion ? From an external point of view this seems a critical security risk, for no valid reason.

Knowing most of people will just apply the chart out of the box, if grafana has a compromission, the whole kubernetes cluster is instantly compromised. Because having access to all the secrets allows grabing:

• all the deployed helm releases values and details
• eventual access token usable against kube api
• eventual argocd manager tokens to access others clusters as full admin
• eventual private docker registry credentials
• eventual databases credentials (harder to use if the DB is not exposed on internet) And this is only the best case where there is no cloud provider keys giving access to the cloud resources...