BUG: Unnecessary permissions in Helm Charts

[Yseona]

Description

The bug is that the Deployment open-feature-operator-controller-manager in the Helm charts has too much RBAC permission than it needs. The service account of open-feature-operator-controller-manager is bound to a clusterrole with the following permissions:

• create/patch/update/delete verb of the deployments/pods resource (ClusterRole)
• create verb of the services resource (ClusterRole)

After reading the source code of open-feature-operator, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running a open-feature-operator-controller-manager pod, they can use the create deployments permission to create privileged containers with malicious container images.

Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or other feasible methods.

To Reproduce

Use the helm charts with default values.

helm repo add openfeature https://open-feature.github.io/open-feature-operator/

helm template open-feature-operator openfeature/open-feature-operator

[toddbaert]

The OpenFeature operator supports the creation of kind: Flagd resources, which represent standalone deployments of the flagd feature flag daemon, including the creation of both ingresses and services to support feature flag evaluation from outside the cluster.

In short, the operator should have CRUD on the resources you mention. See: https://github.com/open-feature/open-feature-operator/tree/main/controllers/core/flagd