zhzhuang-zju
commented
1 month ago /assign @B1F030
Open zhzhuang-zju opened 1 month ago
zhzhuang-zju
commented
1 month ago /assign @B1F030
karmada-bot
commented
1 month ago @zhzhuang-zju: GitHub didn't allow me to assign the following users: B1F030.
Note that only karmada-io members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time. For more information please see the contributor guide
What would you like to be added: Karmada (Kubernetes Armada) is a Kubernetes management system that enables you to run cloud-native applications in multiple Kubernetes clusters and cloud platforms without changing the application. By using Kubernetes native APIs and providing advanced scheduling capabilities, Karmada implements truly open, multi-cloud Kubernetes.
Karmada project uses RBAC authentication to regulate control access to computer or network resources. If too much resource object access is assigned when configuring RBAC it can lead to privilege abuse to the point where an attacker extends the battle and penetrates the cluster. If too little access to resource objects is assigned when configuring RBAC, it can lead to component functionality anomalies.
Therefore, we plan to sort out the minimum set of RBAC permissions required for Karmada components, amend the current recommended RBAC configuration for Karmada bins to be in line with the RBAC Least Privilege Principle, and ultimately use it to guide Karmada users in configuring RBAC permissions for Karmada components.
Project link https://summer-ospp.ac.cn/org/prodetail/245c40153?list=org&navpage=org
Parts of https://github.com/karmada-io/karmada/issues/4879
OutPuts A Guidance Document: Karmada Component Minimum RBAC Privilege Set Function Implementation: Karmada Component RBAC Privilege Minimization Test Coverage: Writing test cases to cover the added functionality