You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I just found that the Deployment bfe-ingress-controller in the charts has both list and get verbs for the secrets resource (rbac.yaml). However, after reading the source code of ingress-bfe, I didn't find any Kubernetes API usages that require list secrets permissions. If a malicious user gets the service account token, they can list all the names of the secrets, and with the name, they can get the details of all the secrets objects (since this is declared in a ClusterRole). Therefore, for security reasons, I recommend removing this unnecessary permission.
The text was updated successfully, but these errors were encountered:
Hi community!
I just found that the Deployment
bfe-ingress-controllerin the charts has bothlistandgetverbs for thesecretsresource (rbac.yaml). However, after reading the source code of ingress-bfe, I didn't find any Kubernetes API usages that requirelistsecrets permissions. If a malicious user gets the service account token, they can list all the names of the secrets, and with the name, they can get the details of all the secrets objects (since this is declared in a ClusterRole). Therefore, for security reasons, I recommend removing this unnecessary permission.The text was updated successfully, but these errors were encountered: