Page MenuHomePhabricator
Create Task
Maniphest T375597

Debate whether we should grant the deploy ClusterRole permissions to create RoleBindings
Open, Needs TriagePublic
Actions

Description

In https://phabricator.wikimedia.org/T364389#10174265, we discussed the need to be able to create a Role/RoleBinding/ServiceAccount granting a specific Deployment the ability to create/delete/list/etc Pods.

Given the lack of permissions for the deploy user to manage Role resources, it was suggested by @JMeybohm that we should

  • create a ClusterRole in admin_ng with the associated permissions
  • create a ServiceAccount and a RoleBinding, linking the ServiceAccount to the ClusterRole, in the chart

However, the deploy role does not have permissions to manage`RoleBinding` resources as well, making this impossible.

I'm creating this ticket to gather feedback as to whether we should grant the deploy user permission to create/delete RoleBinding (and maybe Role resources as well.

Related Objects

Event Timeline

brouberol created this task.Sep 25 2024, 8:40 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 25 2024, 8:40 AM
JMeybohm updated the task description. (Show Details)Sep 25 2024, 8:44 AM
JMeybohm added projects: Prod-Kubernetes, serviceops.EditedSep 25 2024, 8:52 AM

Allowing the deploy user to create Role and RoleBinding objects within it's namespace would allow them to create service accounts with elevated privileges and elevate it's own privileges in it's namespace (by modifying the deploy RoleBinding). The privileges would still be namespaced, but there is a path to privilege escalation here.

Or maybe not: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#restrictions-on-role-binding-creation-or-update

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits