Description of problem:
The cluster-role prometheus-operator assigned to prometheus-operator service account has all (*) privileges over customresourcedefinition resources.
A quick review of the code doesn't justify this excessive permission level, which could be a security issue if the token of the service account is used to manage any of the defined customresourcedefinitions by editing them or deleting them.
Version-Release number of selected component (if applicable):
4.2.14
How reproducible:
Always
Steps to Reproduce:
1. Get the token of the service account:
$ oc describe sa -n openshift-monitoring prometheus-operator
$ oc get token -n openshift-monitoring -o yaml <token>
$ token=$( echo <token> | base64 -d )
2. Delete any CRD, using oauths.config.openshift.io as an example:
$ oc --token=$token delete crd oauths.config.openshift.io
Actual results:
The OAuth CRD is deleted
Expected results:
The service account shouldn't be able to delete CRDs that aren't under its management.
CRD are objects which require special consideration and the permission over them should be scoped to the required verbs.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2020:0581