search

oracle / oracle-database-operator

The Oracle Database Operator for Kubernetes (a.k.a. OraOperator) helps developers, DBAs, DevOps and GitOps teams reduce the time and complexity of deploying and managing Oracle Databases. It eliminates the dependency on a human operator or administrator for the majority of database operations.
Universal Permissive License v1.0
141 stars 45 forks source link

RBAC is WAY to permissive #73

Closed erikgb closed 1 month ago

erikgb commented 1 year ago

The operator cluster role grants access to a lot of resources/verbs cluster-wide, and I cannot imagine all these permissions are required to operate:

https://github.com/oracle/oracle-database-operator/blob/bb344e4dee6ae72e5132f55e15ca4deb55557e71/oracle-database-operator.yaml#L2528-L2690

In particular, CRUD on nodes and namespaces should NOT be required, making the operator an elevated component if installed like this. You should do a massive cleanup of the RBAC!

djjeffr commented 1 year ago

Also should make work in a non root k8s container.

erikgb commented 1 year ago

Also should make work in a non root k8s container.

I agree, but that is worth a separate issue. Do you mind opening one, @djjeffr?

djjeffr commented 1 year ago

Yes I will open a new issue

psaini79 commented 10 months ago

@erikgb Thanks for highlighting this. Though this fix is requires at operator level, I am wondering in general which controller you are testing?

Certainly yes, CRUD related to nodes will be removed.

psaini79 commented 10 months ago

Also should make work in a non root k8s container.

Did you open the new issue thread on this? If yes, please let me know the details so that I can review the exact issue.

erikgb commented 10 months ago

@psaini79 thanks for the feedback! What took you so long? 😉 We would appreciate if the RBAC granted to the operator was least-privilege based: only grant required permissions. CRUD to nodes is probably the worst, but I think there is a lot more that can be removed from the list of permissions.

About containers running as root, @djjeffr opened https://github.com/oracle/oracle-database-operator/issues/74. I will add some more details to that issue, but again it's all about least-privilege. It's particularly important to support OpenShift - since OpenShift requires additional configuration (SCC) to allow containers to run as root.

psaini79 commented 10 months ago

@erikgb Sure, CRUD to the nodes level will be removed. I am reviewing it internally and will update the roles and privs accordingly.

psaini79 commented 1 month ago

Please review the latest branch, the operator is namescoped and all the privileges are explained in each respective controller.

Please reopen the thread if you have any question.