Closed Yseona closed 1 month ago
Hi @Yseona, Thanks for raising this issue, it's not a bug.
The permissions are needed when the vineyard operator suppose to create these resources (https://github.com/v6d-io/v6d/tree/main/k8s/pkg/templates)
If you have any questions, please feel free to open it.
Description
The bug is that the Deployment vineyard-controller-manager in the charts has too much RBAC permissions than it needs. The service account of
vineyard-controller-manager
is bound to a clusterrole(manager-rbac.yaml) with the following permissions:create/update
verb of thedeployments/daemonsets
resource (ClusterRole)create/delete/update
verb of thejobs/pods/services
resource (ClusterRole)After reading the source code of vineyardcloudnative/vineyard-operator, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running a
vineyard-controller-manager
pod, they can use thecreate deployments
permission to create privileged containers with malicious container images.Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or other feasible methods.
To Reproduce
Use the charts with default values.