RBAC is WAY to permissive

[erikgb]

The operator cluster role grants access to a lot of resources/verbs cluster-wide, and I cannot imagine all these permissions are required to operate:

oracle-database-operator/oracle-database-operator.yaml

Lines 2528 to 2690 in bb344e4

	- apiGroups:
	- ""
	resources:
	- configmaps
	- events
	- pods
	- pods/exec
	- pods/log
	- replicasets
	- services
	verbs:
	- create
	- delete
	- get
	- list
	- patch
	- update
	- watch
	- apiGroups:
	- ""
	resources:
	- configmaps
	- namespaces
	- secrets
	verbs:
	- create
	- delete
	- get
	- list
	- patch
	- update
	- watch
	- apiGroups:
	- ""
	resources:
	- configmaps
	- secrets
	verbs:
	- create
	- delete
	- get
	- list
	- patch
	- update
	- watch
	- apiGroups:
	- ""
	resources:
	- events
	- nodes
	- persistentvolumeclaims
	- pods
	- pods/exec
	- pods/log
	- services
	verbs:
	- create
	- delete
	- get
	- list
	- patch
	- update
	- watch
	- apiGroups:
	- ''''''
	resources:
	- statefulsets/finalizers
	verbs:
	- create
	- delete
	- get
	- list
	- patch
	- update
	- watch
	- apiGroups:
	- apps
	resources:
	- replicasets
	verbs:
	- create
	- delete
	- get
	- list
	- patch
	- update
	- watch
	- apiGroups:
	- apps
	resources:
	- statefulsets
	verbs:
	- create
	- delete
	- get
	- list
	- patch
	- update
	- watch
	- apiGroups:
	- coordination.k8s.io
	resources:
	- leases
	verbs:
	- create
	- get
	- list
	- update
	- apiGroups:
	- ""
	resources:
	- configmaps
	- events
	- namespaces
	- nodes
	- persistentvolumeclaims
	- pods
	- pods/exec
	- pods/log
	- secrets
	- services
	verbs:
	- create
	- delete
	- get
	- list
	- patch
	- update
	- watch
	- apiGroups:
	- ""
	resources:
	- configmaps
	- namespaces
	- pods
	- secrets
	- services
	verbs:
	- create
	- delete
	- get
	- list
	- patch
	- update
	- watch
	- apiGroups:
	- ""
	resources:
	- pods/exec
	verbs:
	- create
	- apiGroups:
	- database.oracle.com
	resources:
	- autonomouscontainerdatabases
	verbs:
	- create
	- delete
	- get
	- list
	- patch
	- update
	- watch

In particular, CRUD on nodes and namespaces should NOT be required, making the operator an elevated component if installed like this. You should do a massive cleanup of the RBAC!

[djjeffr]

Also should make work in a non root k8s container.

[erikgb]

Also should make work in a non root k8s container.

I agree, but that is worth a separate issue. Do you mind opening one, @djjeffr?

[djjeffr]

Yes I will open a new issue

[psaini79]

@erikgb Thanks for highlighting this. Though this fix is requires at operator level, I am wondering in general which controller you are testing?

Certainly yes, CRUD related to nodes will be removed.

[psaini79]

Also should make work in a non root k8s container.

Did you open the new issue thread on this? If yes, please let me know the details so that I can review the exact issue.

[erikgb]

@psaini79 thanks for the feedback! What took you so long? 😉 We would appreciate if the RBAC granted to the operator was least-privilege based: only grant required permissions. CRUD to nodes is probably the worst, but I think there is a lot more that can be removed from the list of permissions.

About containers running as root, @djjeffr opened #74. I will add some more details to that issue, but again it's all about least-privilege. It's particularly important to support OpenShift - since OpenShift requires additional configuration (SCC) to allow containers to run as root.

[psaini79]

@erikgb Sure, CRUD to the nodes level will be removed. I am reviewing it internally and will update the roles and privs accordingly.

[psaini79]

Please review the latest branch, the operator is namescoped and all the privileges are explained in each respective controller.

Please reopen the thread if you have any question.