Previously the operator had the pod/exe permissions with the verb
create. Which is necessary for K8up to create and bind the namespaced
roles where the actual backups happen.
To harden the RBAC a bit we're now deploying a clusterRole which
contains the necessary RBAC rules. Also K8up is now allowed to bind
exactly this clusterRole.
While this doesn't mitigate all potential exploits in case the K8up
operator pod is accessed by a malicious party, it makes it harder for
the malicious party to abuse K8up's permissions.
Checklist
For Code changes
[x] Categorize the PR by setting a good title and adding one of the labels:
bug, enhancement, documentation, change, breaking, dependency
as they show up in the changelog
[x] PR contains the label area:operator
[x] Link this PR to related issues
[ ] I have not made any changes in the charts/ directory.
Even though we should not change anything in the /chart folder, for this to work with the e2e I have to change the chart here as well. Let's hope the CI/CD process doesn't break too hard due to this...
Summary
Previously the operator had the
pod/exe
permissions with the verbcreate
. Which is necessary for K8up to create and bind the namespaced roles where the actual backups happen.To harden the RBAC a bit we're now deploying a clusterRole which contains the necessary RBAC rules. Also K8up is now allowed to bind exactly this clusterRole.
While this doesn't mitigate all potential exploits in case the K8up operator pod is accessed by a malicious party, it makes it harder for the malicious party to abuse K8up's permissions.
Checklist
For Code changes
bug
,enhancement
,documentation
,change
,breaking
,dependency
as they show up in the changelogarea:operator
charts/
directory.