AM0012

CSV rbac

Problematic configuration:

**1. CSV rbac rules present in the operator bundle are too lenient.

We perform the following checks on the rbac rules listed in the csv yaml:

Presence of wildcard operator under apiGroups
Accessing confidential cluster resources like secrets and configmaps outside the operators targetnamespace/s.(Reads are optionally allowed only if the resourceName attribute is set.)
Presence of wildcard operator under resources. (Allowed if it comes under the apiGroups owned by the operator)

# sample-operator.clusterserviceversion.yaml

clusterPermissions:
  - rules:
    - apiGroups:
      - "*"
      resources:
      - "*"
      verbs:
      - "*"
    serviceAccountName: sample-operator

Here both apiGroups and resources both lists * (wildcard operator) under it.

Correct configuration:

# abcd-operator.clusterserviceversion.yaml
clusterPermissions:
  - rules:
    - apiGroups:
      - ""
      resources:
      - "secrets"
      - "configmaps"
      ResourceNames:
      - "test123"
      verbs:
      - "*"
    - apiGroups:
      - "abcd"
      resources:
      - "*"
      verbs:
      - "*"
    serviceAccountName: sample-operator

secrets and configmaps with specific resource names are only accessed.
Wildcard under resources belong to the api group owned by the operator
No wildcards present under apiGroups.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

AM0012

CSV rbac

Problematic configuration:

Correct configuration:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally