Open Yseona opened 1 month ago
Hey @Yseona! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace
Hi community!
I just found that the Deployment
contour
in the charts has bothlist
andget
verbs for thesecrets
resource (contour.yaml). However, after reading the source code of contour, I didn't find any Kubernetes API usages that requirelist secrets
permissions. If a malicious user gets the service account token, they can list all the names of the secrets, and with the name, they can get the details of all the secrets objects (since this is declared in a ClusterRole). Therefore, for security reasons, I suggest checking this permission to determine if it is truly unnecessary. If it is, the issue should be fixed by removing the unnecessary permission or by other feasible methods.