The latest skupper operator allows privilege escalation on a kubernetes cluster. If the skupper operator is running and a user in a given namespace creates a ConfigMap with the name skupper-site and includes in the data the line, `cluster-permissions: "true"`, then the operator will create a service account in that namespace that has cluster permissions enabling it to watch deployments in all namespaces on the cluster. This is the case even if the user creating that ConfigMap does not themselves have access to other namespaces. The solution we propose is to make this feature optional at the operator level, and off by default. We have a patch ready for this (it has not been shared outside relevant Red Hat engineers) but want to be sure we follow the correct process.
This issue has been addressed in the following products: Service Interconnect 1 for RHEL 9 Via RHSA-2023:6219 https://access.redhat.com/errata/RHSA-2023:6219