Skip to content

Preflight Permission Check for Excessive Permission #1644

New issue
New issue
Closed as not planned
Closed as not planned
Preflight Permission Check for Excessive Permission#1644
Labels
lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.
@bentito

Description

@bentito
bentito
opened on Jan 22, 2025

Similar to #988, this issue proposes a security-minded preflight permission check that warns when the referenced Service Account is granting more permission than needed for a Cluster Extension to do its work.

Currently, Cluster Extension installations can proceed even if the provided Service Account has excessive permissions. A preflight check would help ensure that Cluster Extensions operate within the principle of least privilege, enhancing the overall security of the cluster.

  • This proposal builds upon previous efforts to define and manage Service Account permissions within Cluster Extensions:

  • A preflight check that analyzes Service Account permissions and flags potential over-privileging would significantly contribute to a more secure Cluster Extension deployment process.

Metadata

Metadata

Assignees

No one assigned

    Labels

    lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions