search

kubernetes-sigs / prometheus-adapter

An implementation of the custom.metrics.k8s.io API using Prometheus
Apache License 2.0
1.9k stars 551 forks source link

Query about minimum permission required by -server-resources cluster role #622

Open ytizhang opened 10 months ago

ytizhang commented 10 months ago

While doing security review of our clusters, we found wildcard permission used in a prometheus-adapter cluster role. This violates the principle of least privilege. The ask is to provide the minimum permission needed by this cluster role (list the specific verbs and resources instead of using wildcard). For now, we can probably try to override it on our side once we have this info. But it'd be good to have this change in the future releases so we always have the updated permission.

Chart version: 3.4.2 App version: v0.10.0 The cluster role with wildcard permission (extracted from the helm chart): 

{{- if and .Values.rbac.create (or .Values.rules.default .Values.rules.custom) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  {{- if .Values.customAnnotations }}
  annotations:
  {{- toYaml .Values.customAnnotations | nindent 4 }}
  {{- end }}
  labels:
    {{- include "k8s-prometheus-adapter.labels" . | indent 4 }}
  name: {{ template "k8s-prometheus-adapter.name" . }}-server-resources
rules:
- apiGroups:
  - custom.metrics.k8s.io
  resources: ["*"]
  verbs: ["*"]
{{- end -}}
dgrisonnet commented 10 months ago

/triage accepted /kind support /assign

ytizhang commented 8 months ago

Hi @dgrisonnet is there any updates on this? Thanks