Closed Yseona closed 4 months ago
The OpenFeature operator supports the creation of kind: Flagd
resources, which represent standalone deployments of the flagd feature flag daemon, including the creation of both ingresses and services to support feature flag evaluation from outside the cluster.
In short, the operator should have CRUD on the resources you mention. See: https://github.com/open-feature/open-feature-operator/tree/main/controllers/core/flagd
Description
The bug is that the Deployment
open-feature-operator-controller-manager
in the Helm charts has too much RBAC permission than it needs. The service account ofopen-feature-operator-controller-manager
is bound to a clusterrole with the following permissions:create/patch/update/delete
verb of thedeployments/pods
resource (ClusterRole)create
verb of theservices
resource (ClusterRole)After reading the source code of open-feature-operator, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running a
open-feature-operator-controller-manager
pod, they can use thecreate deployments
permission to create privileged containers with malicious container images.Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or other feasible methods.
To Reproduce
Use the helm charts with default values.
helm repo add openfeature https://open-feature.github.io/open-feature-operator/
helm template open-feature-operator openfeature/open-feature-operator