-
Notifications
You must be signed in to change notification settings - Fork 12
AM0012
Ashish edited this page Mar 15, 2022
·
2 revisions
**1. CSV rbac rules present in the operator bundle are too lenient.
We perform the following checks on the rbac rules listed in the csv yaml:
- Presence of wildcard operator under
apiGroups
- Accessing confidential cluster resources like secrets and configmaps outside the operators targetnamespace/s.(Reads are optionally allowed only if the resourceName attribute is set.)
- Presence of wildcard operator under
resources
. (Allowed if it comes under theapiGroups
owned by the operator)
# sample-operator.clusterserviceversion.yaml
clusterPermissions:
- rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "*"
serviceAccountName: sample-operator
Here both apiGroups
and resources
both lists *
(wildcard operator) under it.
# abcd-operator.clusterserviceversion.yaml
clusterPermissions:
- rules:
- apiGroups:
- ""
resources:
- "secrets"
- "configmaps"
ResourceNames:
- "test123"
verbs:
- "*"
- apiGroups:
- "abcd"
resources:
- "*"
verbs:
- "*"
serviceAccountName: sample-operator
-
secrets
andconfigmaps
with specific resource names are only accessed. - Wildcard under
resources
belong to the api group owned by the operator - No wildcards present under
apiGroups
.