You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This only affects the Helm Chart and not the upstream manifests
Summary
The workflow-role lacks granularity in its privileges, giving permissions to workflowtasksets and workflowartifactgctasks to all workflow Pods, when only certain types of Pods created by the Controller require these privileges.
The impact is minimal, as an attack could only affect status reporting for certain types of Pods and templates.
These two should ideally be split into their own roles, as they are upstream. This requires a UX change to the Charts, however.
Impact
The impact of these two is quite minimal, as they only affect status reporting and only for ArtifactGC Pods and HTTP and Plugin templates. So that would only have a mild integrity impact, and that impact already exists upstream for properly privileged roles as well, which is more a limitation of k8s RBAC (in practice, it is effectively impossible to limit to resourceNames in this case as they are generated, dynamic names, and then each generated Pod would need custom resourceNames, i.e. dynamically generated RBAC).
agilgur5 Reporter
Important
This only affects the Helm Chart and not the upstream manifests
Summary
The
workflow-rolelacks granularity in its privileges, giving permissions toworkflowtasksetsandworkflowartifactgctasksto all workflow Pods, when only certain types of Pods created by the Controller require these privileges.The impact is minimal, as an attack could only affect status reporting for certain types of Pods and templates.
This was resolved by #3048
Details
Two sets of permissions are only needed for certain types of Pods created by the Controller:
workflowtasksetsandworkflowartifactgctasksworkflowtasksetsworkflowartifactgctasksThese two should ideally be split into their own roles, as they are upstream. This requires a UX change to the Charts, however.
Impact
The impact of these two is quite minimal, as they only affect status reporting and only for ArtifactGC Pods and HTTP and Plugin templates. So that would only have a mild integrity impact, and that impact already exists upstream for properly privileged roles as well, which is more a limitation of k8s RBAC (in practice, it is effectively impossible to limit to
resourceNamesin this case as they are generated, dynamic names, and then each generated Pod would need customresourceNames, i.e. dynamically generated RBAC).