Bug 2066670

Summary: [dns-operator] - Minimize wildcard/privilege Usage in Cluster and Local Roles
Product: OpenShift Container Platform Reporter: Simon Reber <sreber>
Component: NetworkingAssignee: aos-network-edge-staff <aos-network-edge-staff>
Networking sub component: DNS QA Contact: Melvin Joseph <mjoseph>
Status: CLOSED WONTFIX Docs Contact:
Severity: low    
Priority: low CC: hongli, mfisher, mmasters
Version: 4.8   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-19 20:54:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Simon Reber 2022-03-22 10:02:53 UTC 
According http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_rbac_wildcard_use the usage of wildcard in ClusterRole and Roles should be prevented as best as possible.

Further, one should refrain from using `cluster-admin` permissions to comply with CIS security requirements.

It's therefore requested to review the below serviceAccount and their associated Roles as they were found not to be compliant with the above and restrict permissions further to the extend possible.

 - system:serviceaccount:openshift-dns-operator:dns-operator
Comment 1 Miciah Dashiel Butler Masters 2022-03-22 16:00:13 UTC 
Setting blocker-.  

(In reply to Simon Reber from comment #0)
> According
> http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.
> ssgproject.content_rule_rbac_wildcard_use the usage of wildcard in
> ClusterRole and Roles should be prevented as best as possible.

We might be able to tie down some permissions, such as restricting the operator's access to clusteroperators to allow access only to the "dns" clusteroperator or restricting the operator to managing daemonsets etc. in only the operand namespace.  However, the operand (and therefore the operator) by its nature requires some wildcard permissions.  For example, CoreDNS needs access to all services and endpointslices in all namespaces in the cluster so that it can respond to DNS queries for those services' names with the addresses in the endpointslices.  

> Further, one should refrain from using `cluster-admin` permissions to comply
> with CIS security requirements.

Can you elaborate on this point?  

> It's therefore requested to review the below serviceAccount and their
> associated Roles as they were found not to be compliant with the above and
> restrict permissions further to the extend possible.
> 
>  - system:serviceaccount:openshift-dns-operator:dns-operator

Is this part of a larger audit of cluster operators?  It would be useful to define applicable guidelines for all cluster operators to follow.
Comment 4 mfisher 2022-12-19 20:54:44 UTC 
This issue is stale and has been closed because it has been open 90 days or more with no noted activity/comments in the last 60 days.  If this issue is crucial and still needs resolution, please open a new jira issue and the engineering team will triage and prioritize accordingly.