Closed Yseona closed 3 months ago
1、volcano admission need generate secrets in a init job, and I will fire a pr to shrink permissions. 2、volcano controller's permissions of list/watch secrets have been removed in latest version. 3、update permission is necessary for volcano controller because it need update pod's podgroup, etc.
@Monokaix I tried to find all update/patch relate operation to pods
. Maybe we only need the patch
verb instead of update
verb?
@Monokaix I tried to find all update/patch relate operation to
pods
. Maybe we only need thepatch
verb instead ofupdate
verb?
After a deep insight, volcano scheduler called UpdateStatus
method, which needs update verb role: )
And volcano admission related permissions has been reduced in pr https://github.com/volcano-sh/volcano/pull/3504
@kaaass I think we can remove update verb in volcano controller, you can do that if you're available: )
After a deep insight, volcano scheduler called
UpdateStatus
method, which needs update verb role: )
@Monokaix Thank you for reply : )
UpdateStatus
only requires permission to subresource pods/status
(client-go source code). Subresource uses a separate permission grants (document).
@kaaass I think we can remove update verb in volcano controller, you can do that if you're available: )
I'm happy to do that! Sadly I'm a little busy at the time. I'll give it a try if it is still unsolved maybe later this week : )
After a deep insight, volcano scheduler called
UpdateStatus
method, which needs update verb role: )@Monokaix Thank you for reply : )
UpdateStatus
only requires permission to subresourcepods/status
(client-go source code). Subresource uses a separate permission grants (document).@kaaass I think we can remove update verb in volcano controller, you can do that if you're available: )
I'm happy to do that! Sadly I'm a little busy at the time. I'll give it a try if it is still unsolved maybe later this week : )
That's ok.
/close
@Monokaix: Closing this issue.
Description
The bug is that the Deployment volcano-admission and volcano-controllers in the charts have too much RBAC permissions than they need. The service account of volcano-admission is bound to a clusterrole (admission.yaml#L44) with the following permissions:
get
verb of thesecrets
resource (ClusterRole)The service account of volcano-controllers is bound to a clusterrole (controllers.yaml#L16) with the following permissions:
update
verb of thepods
resource (ClusterRole)get/list
verb of thesecrets
resource (ClusterRole)After reading the source code of volcano, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running a
volcano-controllers
pod, they can list all the names of the secrets, and with the name, they can get the details of all the secrets objects (since this is declared in a ClusterRole).Therefore, for security reasons, I suggest checking these permissions to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permission or other feasible methods.
To Reproduce
Use charts with default values.