search

guerzon / vaultwarden

Helm chart for Vaultwarden, the (unofficial) Bitwarden-compatible server written in Rust, formerly known as bitwarden_rs
MIT License
142 stars 64 forks source link

Question: what is the purpose of rbac role in this chart? #84

Closed RomanIzvozchikov closed 5 months ago

RomanIzvozchikov commented 6 months ago

Hello!

I tried to realise what is the purpose of rbac role in this chart? We need these permissions if Bitwarden pod needs to modify some Kubernetes resources, but I am unsure that Bitwarden pod does this. I didn't find any related information in README.md.

From my perspective these permissions listed in RBAC role are unnecessary.

rules:
  - apiGroups: ["extensions", "apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["create","delete","get","list","patch","update","watch"]
  - apiGroups: [""]
    resources: ["pods/exec"]
    verbs: ["create","delete","get","list","patch","update","watch"]
  - apiGroups: [""]
    resources: ["pods/log"]
    verbs: ["get","list","watch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get"]

Could somebody clarify this?

0xsanti commented 6 months ago

I guess it was added as a starting point to implement the principle of least privilege, but this should have been tailored and unnecessary permissions were removed.

RomanIzvozchikov commented 5 months ago

I guess it was added as a starting point to implement the principle of least privilege, but this should have been tailored and unnecessary permissions were removed.

@0xsanti thank you for the reply!