The bug is that the Deployment jaeger-operator in the charts has too much RBAC permission than it needs. The service account of jaeger-operator is bound to a role (role.yaml) with the following permissions:
create/delete/patch/update verb of the pods/replicasets/statefulsets resource (Role)
get verb of the secrets resource (Role)
After reading the source code of jaeger-operator, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running a jaeger-operator pod, they can use the create replicasets permission to create privileged containers with malicious container images.
Steps to reproduce
Use helm chart with default values.
Expected behavior
Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing these unnecessary permissions or other feasible methods.
What happened?
The bug is that the Deployment jaeger-operator in the charts has too much RBAC permission than it needs. The service account of
jaeger-operatoris bound to a role (role.yaml) with the following permissions:create/delete/patch/updateverb of thepods/replicasets/statefulsetsresource (Role)getverb of thesecretsresource (Role)After reading the source code of jaeger-operator, I didn't find any Kubernetes API usages using
thesepermissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running ajaeger-operatorpod, they can use thecreate replicasetspermission to create privileged containers with malicious container images.Steps to reproduce
Use helm chart with default values.
Expected behavior
Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing these unnecessary permissions or other feasible methods.
Relevant log output
No response
Screenshot
No response
Additional context
No response
Jaeger backend version
No response
SDK
No response
Pipeline
No response
Stogage backend
No response
Operating system
No response
Deployment model
No response
Deployment configs
No response