According http://static.open-scap.org/ssg-guides/ssg-ocp4-guide-cis.html#xccdf_org.ssgproject.content_rule_rbac_wildcard_use the usage of wildcard in ClusterRole and Roles should be prevented as best as possible. Further, one should refrain from using `cluster-admin` permissions to comply with CIS security requirements. It's therefore requested to review the below serviceAccount and their associated Roles as they were found not to be compliant with the above and restrict permissions further to the extend possible. - system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator - system:serviceaccount:openshift-cluster-storage-operator:csi-snapshot-controller-operator
We will check cluster-admin permissions, but they're hard and error prone to remove. This will take some time, even couple of releases.
*** Bug 2066663 has been marked as a duplicate of this bug. ***
Moving back to POST in order to get another PR merged.
I see already https://github.com/openshift/cluster-storage-operator/pull/270 merged and changes lgtm.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.13.0 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:1326
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days