Please describe your use case / problem.
A review of the RBAC permissions given to the edge-stack pods seems overly permissive. Here are some examples:
https://github.com/emissary-ingress/emissary/blob/5e03b912c048c2db25763dbf77265792199ebbad/charts/emissary-ingress/templates/rbac.yaml#L87-L90
https://github.com/datawire/edge-stack/blob/main/charts/edge-stack/templates/rbac.yaml#L27-L29
Does this actually need to read every secret in every namespace?
Similarly, its allowed to delete any CRD.
rules:
- apiGroups: [ "apiextensions.k8s.io" ]
resources: [ "customresourcedefinitions" ]
verbs: ["get", "list", "watch", "delete"]
Describe the solution you'd like
At minimum, it would be nice to have an explanation of what's going on that seems to require these permissions. Better would be to be a bit more verbose about what secrets, CRDs, etc that actually need to be managed.
Describe alternatives you've considered
Disabling unsavory permissions until I've had a chance to review the code and/or see errors in the logs.
Additional context
n/a
Please describe your use case / problem.
A review of the RBAC permissions given to the edge-stack pods seems overly permissive. Here are some examples:
https://github.com/emissary-ingress/emissary/blob/5e03b912c048c2db25763dbf77265792199ebbad/charts/emissary-ingress/templates/rbac.yaml#L87-L90
https://github.com/datawire/edge-stack/blob/main/charts/edge-stack/templates/rbac.yaml#L27-L29
Does this actually need to read every secret in every namespace?
Similarly, its allowed to delete any CRD.
Describe the solution you'd like
At minimum, it would be nice to have an explanation of what's going on that seems to require these permissions. Better would be to be a bit more verbose about what secrets, CRDs, etc that actually need to be managed.
Describe alternatives you've considered
Disabling unsavory permissions until I've had a chance to review the code and/or see errors in the logs.
Additional context
n/a