fix: Replace wildcards in RBAC objects with explicit resources and verbs #6129
+64
−20
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
legal90
commented
Sep 3, 2024
4 tasks
legal90
force-pushed
the
rbac-no-wildcards
branch
4 times, most recently
from
04f9747 to
4142acc
Compare
|
/run-e2e |
legal90
force-pushed
the
rbac-no-wildcards
branch
2 times, most recently
from
0d56c96 to
da55007
Compare
|
/run-e2e |
|
/run-e2e |
legal90
force-pushed
the
rbac-no-wildcards
branch
from
da55007 to
aa1b7bf
Compare
|
/run-e2e |
|
/run-e2e internal |
legal90
force-pushed
the
rbac-no-wildcards
branch
from
aa1b7bf to
09e545f
Compare
|
/run-e2e internal |
|
/run-e2e rabbit |
JorTurFer
reviewed
Oct 31, 2024
JorTurFer
reviewed
Oct 31, 2024
|
/run-e2e subresource_scale_test |
wozniakjan
approved these changes
Oct 31, 2024
|
/run-e2e |
|
@legal90 , could you fix DCO? it was broken during last commit -> https://github.com/kedacore/keda/pull/6129/checks?check_run_id=32323819193 |
legal90
force-pushed
the
rbac-no-wildcards
branch
from
cc7e1a1 to
6f01a9b
Compare
Signed-off-by: Mikhail Zholobov <legal90@gmail.com>
Signed-off-by: Mikhail Zholobov <legal90@gmail.com>
Signed-off-by: Mikhail Zholobov <legal90@gmail.com>
According to the PR review comment. Signed-off-by: Mikhail Zholobov <legal90@gmail.com>
legal90
force-pushed
the
rbac-no-wildcards
branch
from
6f01a9b to
870245d
Compare
|
@JorTurFer Yes sure! I fixed the DCO and rebased the branch now. |
|
/run-e2e |
JorTurFer
approved these changes
Nov 3, 2024
mpechner-akasa
pushed a commit
to nrichardson-akasa/keda
that referenced
this pull request
Nov 29, 2024
…rbs (kedacore#6129) * fix: Replace wildcards in RBAC objects with explicit resources and verbs Signed-off-by: Mikhail Zholobov <legal90@gmail.com> * Update changelog Signed-off-by: Mikhail Zholobov <legal90@gmail.com> * Revert the deletion of RBAC rule "allow to get any resource" Signed-off-by: Mikhail Zholobov <legal90@gmail.com> * Rollback the RBAC rule for "*/scale" According to the PR review comment. Signed-off-by: Mikhail Zholobov <legal90@gmail.com> --------- Signed-off-by: Mikhail Zholobov <legal90@gmail.com> Signed-off-by: michael pechner <mike.pechner@akasa.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
According to Kubernetes documentation and various k8s security guidelines, wildcards in resource and verb entries should be avoided:
Warning
Using wildcards in resource and verb entries could result in overly permissive access being granted to sensitive resources. For instance, if a new resource type is added, or a new subresource is added, or a new custom verb is checked, the wildcard entry automatically grants access, which may be undesirable. The principle of least privilege should be employed, using specific resources and verbs to ensure only the permissions required for the workload to function correctly are applied.
Refs:
This PR could be seen as a continuation of a previous work for hardening the RBAC: kedacore/charts#625
It replaces
*with explicit verbs and resources, according to KEDA needs.Checklist
Relates to kedacore/charts#682