AM0012

Jump to bottom

Ashish edited this page Mar 15, 2022 · 2 revisions

CSV rbac

Problematic configuration:

**1. CSV rbac rules present in the operator bundle are too lenient.

We perform the following checks on the rbac rules listed in the csv yaml:

Presence of wildcard operator under apiGroups
Accessing confidential cluster resources like secrets and configmaps outside the operators targetnamespace/s.(Reads are optionally allowed only if the resourceName attribute is set.)
Presence of wildcard operator under resources. (Allowed if it comes under the apiGroups owned by the operator)

# sample-operator.clusterserviceversion.yaml

clusterPermissions:
  - rules:
    - apiGroups:
      - "*"
      resources:
      - "*"
      verbs:
      - "*"
    serviceAccountName: sample-operator

Here both apiGroups and resources both lists * (wildcard operator) under it.

Correct configuration:

# abcd-operator.clusterserviceversion.yaml
clusterPermissions:
  - rules:
    - apiGroups:
      - ""
      resources:
      - "secrets"
      - "configmaps"
      ResourceNames:
      - "test123"
      verbs:
      - "*"
    - apiGroups:
      - "abcd"
      resources:
      - "*"
      verbs:
      - "*"
    serviceAccountName: sample-operator

secrets and configmaps with specific resource names are only accessed.
Wildcard under resources belong to the api group owned by the operator
No wildcards present under apiGroups.