You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I just found that the Deployment emissary-ingress in the charts has both list and get verbs for the secrets resource (rbac.yaml#L13). However, after reading the source code of emissary, I didn't find any Kubernetes API usages that require list secrets permissions. If malicious users gain control of a Kubernetes node running a emissary-ingress pod, they can list all the names of the secrets, and with the name, they can get the details of all the secrets objects (since this is declared in a ClusterRole).Therefore, for security reasons, I suggest checking this permission to determine if it is truly unnecessary. If it is, the issue should be fixed by removing the unnecessary permission or or other feasible methods.
To Reproduce
Use helm chart with default values.
The text was updated successfully, but these errors were encountered:
Hi community!
I just found that the Deployment emissary-ingress in the charts has both
list
andget
verbs for thesecrets
resource (rbac.yaml#L13). However, after reading the source code of emissary, I didn't find any Kubernetes API usages that requirelist
secrets permissions. If malicious users gain control of a Kubernetes node running aemissary-ingress
pod, they can list all the names of the secrets, and with the name, they can get the details of all the secrets objects (since this is declared in a ClusterRole).Therefore, for security reasons, I suggest checking this permission to determine if it is truly unnecessary. If it is, the issue should be fixed by removing the unnecessary permission or or other feasible methods.To Reproduce
Use helm chart with default values.
The text was updated successfully, but these errors were encountered: