search

kedacore / charts

Helm charts for KEDA
Apache License 2.0
148 stars 205 forks source link

Incomplete restrict secret permissions description #605

Open joebowbeer opened 4 months ago

joebowbeer commented 4 months ago

The existing documentation for restricting secret access is misleading, as it implies that access to secrets can be (completely) restricted by enabling secret permission restrictions for keda-operator and metricServer.

In addition to improving the documentation, it would be helpful if the docs explained how to update the helm chart in order to completely restrict access.

I installed the KEDA helm chart v2.13.1 with all secret restrictions enabled

  permissions:
    operator:
      restrict:
        secret: true
    metricServer:
      restrict:
        secret: true

but keda-operator still has "get" access to all secrets by way of a different rule in the keda-operator ClusterRole:

- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get

Discussion: https://github.com/kedacore/keda/discussions/4730

Related: https://github.com/kedacore/keda-docs/issues/1307

Expected Behavior

kubectl auth can-i get secrets --as=system:serviceaccount:keda:keda-operator
no

Actual Behavior

kubectl auth can-i get secrets --as=system:serviceaccount:keda:keda-operator
yes

Steps to Reproduce the Problem

  1. Install KEDA helm chart
  2. Enable secret restrictions for keda-operator and metricServer
  3. Run kubectl auth can-i get secrets

Specifications

JorTurFer commented 4 months ago

Let's discuss the topic in the docs repo issue to not duplicate the threads: https://github.com/kedacore/keda-docs/issues/1307