search

v6d-io / v6d

vineyard (v6d): an in-memory immutable data manager. (Project under CNCF, TAG-Storage)
https://v6d.io
Apache License 2.0
816 stars 117 forks source link

BUG: Unnecessary permissions in charts #1904

Closed Yseona closed 1 month ago

Yseona commented 1 month ago

Description

The bug is that the Deployment vineyard-controller-manager in the charts has too much RBAC permissions than it needs. The service account of vineyard-controller-manager is bound to a clusterrole(manager-rbac.yaml) with the following permissions:

After reading the source code of vineyardcloudnative/vineyard-operator, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running a vineyard-controller-manager pod, they can use the create deployments permission to create privileged containers with malicious container images.

Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or other feasible methods.

To Reproduce

Use the charts with default values.

dashanji commented 1 month ago

Hi @Yseona, Thanks for raising this issue, it's not a bug.

The permissions are needed when the vineyard operator suppose to create these resources (https://github.com/v6d-io/v6d/tree/main/k8s/pkg/templates)

dashanji commented 1 month ago

If you have any questions, please feel free to open it.