Pipeline: ClusterRole tekton-pipelines-webhook-cluster-access should be limited to *.tekton.dev resourceNames

Created on 6 May 2020  路  7Comments  路  Source: tektoncd/pipeline

Expected Behavior

In the latest 0.12.0 release.yaml file, ClusterRole tekton-pipelines-webhook-cluster-access should be limited to *.tekton.dev resourceNames.

Actual Behavior

ClusterRole tekton-pipelines-webhook-cluster-access doesn't have a resourceNames attribute and therefore contends to act upon all resouce names.

Steps to Reproduce the Problem

Does not apply. This is strictly a release.yaml spec issue.

kinfeature
Source
picture rakhbari

Most helpful comment

@vdemeester do you know if the webhook needs write access to all CRDs or we could scope to just tekton's?

Hum, I don't think it needs access to all CRDs, just the tekton's.

picture vdemeester on 7 May 2020
👍3

All 7 comments

I think this relates specifically to the customresourcedefinition part here is that right?

@vdemeester do you know if the webhook needs write access to all CRDs or we could scope to just tekton's?

/kind feature

sbwsg picture sbwsg on 6 May 2020

@sbwsg That's correct Scott. That's the correct YAML and section. Any rules with read-only verbs are not of big concern. But anything with CRUD verbs that are not limited by resourceNames raise red flags with enterprise security folks, as they did here at eBay.

rakhbari picture rakhbari on 6 May 2020

@vdemeester do you know if the webhook needs write access to all CRDs or we could scope to just tekton's?

Hum, I don't think it needs access to all CRDs, just the tekton's.

vdemeester picture vdemeester on 7 May 2020
👍3

Agreed. We've done some testing and are running version v0.13.0 with the following ClusterRole.
The webhook needs list/watch access for all crds, but only update for the Tekton specific ones. 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cnr:tekton-pipelines-webhook-cluster-access
rules:
- resources:
  - mutatingwebhookconfigurations
  - validatingwebhookconfigurations
  verbs:
  - list
  - watch
  apiGroups:
  - admissionregistration.k8s.io
- resourceNames:
  - webhook.pipeline.tekton.dev
  resources:
  - mutatingwebhookconfigurations
  verbs:
  - get
  - update
  apiGroups:
  - admissionregistration.k8s.io
- resourceNames:
  - validation.webhook.pipeline.tekton.dev
  - config.webhook.pipeline.tekton.dev
  resources:
  - validatingwebhookconfigurations
  verbs:
  - get
  - update
  apiGroups:
  - admissionregistration.k8s.io
- resources:
  - customresourcedefinitions
  - customresourcedefinitions/status
  verbs:
  - get
  - list
  - watch
  apiGroups:
  - apiextensions.k8s.io
- resourceNames:
  - pipelineruns.tekton.dev
  - pipelines.tekton.dev
  - taskruns.tekton.dev
  - tasks.tekton.dev
  - clustertasks.tekton.dev
  resources:
  - customresourcedefinitions
  - customresourcedefinitions/status
  verbs:
  - update
  - patch
  apiGroups:
  - apiextensions.k8s.io
eddie4941 picture eddie4941 on 23 Jul 2020
👍1

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.

/lifecycle stale

Send feedback to tektoncd/plumbing.

tekton-robot picture tekton-robot on 22 Oct 2020

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

tekton-robot picture tekton-robot on 21 Nov 2020

/remove-lifecycle rotten

vdemeester picture vdemeester on 23 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

VeereshAradhya picture VeereshAradhya  路  3Comments
cnych picture cnych  路  4Comments
hrishin picture hrishin  路  3Comments
sbwsg picture sbwsg  路  4Comments
chmouel picture chmouel  路  3Comments