Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG]: Unnecessary RBAC permissions #1122

Open
2 of 4 tasks
Yseona opened this issue May 30, 2024 · 2 comments · May be fixed by #1221
Open
2 of 4 tasks

[BUG]: Unnecessary RBAC permissions #1122

Yseona opened this issue May 30, 2024 · 2 comments · May be fixed by #1221

Comments

@Yseona
Copy link

Yseona commented May 30, 2024

Checklist

  • I've searched for similar issues and couldn't find anything matching
  • I've included steps to reproduce the behavior

Affected Components

  • K8sGPT (CLI)
  • K8sGPT Operator

K8sGPT Version

v0.3.32

Kubernetes Version

No response

Host OS and its Version

No response

Steps to reproduce

Use chart with default values.

Expected behaviour

The bug is that the Deployment k8sgpt in the charts has both list and get verbs for the secrets resource (role.yaml). However, after reading the source code of k8sgpt, I didn't find any Kubernetes API usages that require list secrets permissions. If malicious users gain control of a Kubernetes node running a k8sgpt pod, they can list all the names of the secrets, and with the name, they can get the details of all the secrets objects (since this is declared in a ClusterRole).

Therefore, for security reasons, I suggest checking this permission to determine if it is truly unnecessary. If it is, the issue should be fixed by removing the unnecessary permission or other feasible methods.

Actual behaviour

No response

Additional Information

No response
@github-project-automation github-project-automation bot moved this to Proposed in Backlog May 30, 2024
@JuHyung-Son
Copy link
Contributor

agree.

@michael12312
Copy link
Contributor

michael12312 commented Jul 16, 2024
edited
Loading

Hi, I will work on this issue, and will raise a PR soon, Thanks!

@michael12312 michael12312 linked a pull request Aug 13, 2024 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Backlog
Status: Proposed
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: remove list secret rule fidelity-contributions/k8sgpt-ai-k8sgpt
3 participants
@JuHyung-Son @michael12312 @Yseona