You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The bug is that the Deployment csi-curve-plugin-provisioner and DaemonSet csi-curve-plugin in the charts have too much RBAC permission than they need. The service account of csi-curve-plugin-provisioner is bound to the a clusterrole(controller-rbac.yaml#L12) with the following permissions:
list verb of secrets resource (ClusterRole)
The service account of csi-curve-plugin is bound to the a clusterrole(node-rbac.yaml#L12) with the following permissions:
update verb of nodes resource (ClusterRole)
After reading the source code of curvecsi/curve-csi, sig-storage/csi-node-driver-registrar, etc, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running a csi-curve-plugin-provisioner pod, they can list all the names of the secrets, and with the name, they can get the details of all the secrets objects (since this is declared in a ClusterRole).
Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or or other feasible methods.
To Reproduce
Use the helm chart with default values.
The text was updated successfully, but these errors were encountered:
###Description
The bug is that the Deployment
csi-curve-plugin-provisionerand DaemonSetcsi-curve-pluginin the charts have too much RBAC permission than they need. The service account ofcsi-curve-plugin-provisioneris bound to the a clusterrole(controller-rbac.yaml#L12) with the following permissions:listverb ofsecretsresource (ClusterRole)The service account of
csi-curve-pluginis bound to the a clusterrole(node-rbac.yaml#L12) with the following permissions:updateverb ofnodesresource (ClusterRole)After reading the source code of curvecsi/curve-csi, sig-storage/csi-node-driver-registrar, etc, I didn't find any Kubernetes API usages using these permissions. Besides, some of these unused permissions may have potential risks. For example, if malicious users gain control of a Kubernetes node running a
csi-curve-plugin-provisionerpod, they can list all the names of the secrets, and with the name, they can get the details of all the secrets objects (since this is declared in a ClusterRole).Therefore, these permissions should be rechecked to determine if they are truly unnecessary. If they are, the issue should be fixed by removing the unnecessary permissions or or other feasible methods.
To Reproduce
Use the helm chart with default values.
The text was updated successfully, but these errors were encountered: