Bug 2066664 - [cluster-storage-operator] - Minimize wildcard/privilege Usage in Cluster and Local Roles
Summary: [cluster-storage-operator] - Minimize wildcard/privilege Usage in Cluster and...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 4.8
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
: 4.13.0
Assignee: Fabio Bertinatto
QA Contact: Rohit Patil
URL:
Whiteboard:
: 2066663 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-22 09:58 UTC by Simon Reber
Modified: 2023-09-18 04:34 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-05-17 22:46:32 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-csi-snapshot-controller-operator pull 131 0 None Merged Bug 2066664: Remove wildcard use in Roles 2022-11-28 05:11:15 UTC
Github openshift cluster-storage-operator pull 270 0 None Merged Bug 2066664: Remove wildcard use in rules for CSI operators and drivers 2022-11-28 05:11:19 UTC
Github openshift hypershift pull 1922 0 None open Bug 2066664: Sync manifests from cluster-csi-snapsht-controller-operator 2022-12-06 13:06:34 UTC
Red Hat Product Errata RHSA-2023:1326 0 None None None 2023-05-17 22:47:39 UTC

Description Simon Reber 2022-03-22 09:58:18 UTC
According http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_rbac_wildcard_use the usage of wildcard in ClusterRole and Roles should be prevented as best as possible.

Further, one should refrain from using `cluster-admin` permissions to comply with CIS security requirements.

It's therefore requested to review the below serviceAccount and their associated Roles as they were found not to be compliant with the above and restrict permissions further to the extend possible.

 - system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator
 - system:serviceaccount:openshift-cluster-storage-operator:csi-snapshot-controller-operator

Comment 1 Jan Safranek 2022-03-22 14:34:02 UTC
We will check cluster-admin permissions, but they're hard and error prone to remove. This will take some time, even couple of releases.

Comment 2 Jan Safranek 2022-03-22 14:34:49 UTC
*** Bug 2066663 has been marked as a duplicate of this bug. ***

Comment 10 Fabio Bertinatto 2022-12-06 13:06:21 UTC
Moving back to POST in order to get another PR merged.

Comment 11 mkumatag 2022-12-07 13:09:26 UTC
I see already https://github.com/openshift/cluster-storage-operator/pull/270 merged and changes lgtm.

Comment 19 errata-xmlrpc 2023-05-17 22:46:32 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.13.0 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:1326

Comment 20 Red Hat Bugzilla 2023-09-18 04:34:00 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days


Note You need to log in before you can comment on or make changes to this bug.