security: enforce least-privilege RBAC and prevent wildcard regressions#66
security: enforce least-privilege RBAC and prevent wildcard regressions#66cjeanner wants to merge 1 commit into
Conversation
Apply principle of least privilege to ArgoCD ClusterRole permissions and
add automated CI validation to prevent future regressions.
RBAC Improvements:
- Replace wildcard verbs on core API resources (secrets, pods, PVCs) with
explicit verb lists to prevent implicit dangerous permissions
- Change pods permissions to read-only (get, list, watch) - ArgoCD only
needs to monitor pod status, not create/delete them
- Replace wildcard resources in metal3.io, lvm.topolvm.io, and
baremetal.openstack.org with explicit resource lists
- Comment out unused multicluster.openshift.io permissions
Security Rationale:
- Wildcard verbs ('*') grant implicit permissions including 'impersonate',
'escalate', and 'bind' which can lead to privilege escalation
- Wildcard resources ('*') prevent least-privilege enforcement and grant
access to all current and future resources in an API group
- Explicit permissions reduce attack surface and follow Kubernetes RBAC
best practices
CI Regression Prevention:
- Add automated RBAC validation script that scans ClusterRole/Role
definitions for dangerous wildcard patterns
- Integrate validation as new job in yamllint workflow (runs on all PRs)
- Fail CI if critical violations detected (wildcard verbs on core API
resources or wildcard resources in any API group)
- Provide clear remediation guidance in error messages
- Document validation rules, security rationale, and how to fix violations
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
I could get a successful run with the updated RBAC. I ensured the deployment was using that updated content by getting the ClusterRole |
We're already enumerating the resources ArgoCD manages. The wildcards have been dropped/replaced for cluster-wide resources, while keeping wildcards for openstack-only resources. I propose we go with the current state, while keeping in mind there's now a fair warning about how (not really) secure are the proposed configuration, added in #68 (merged already). WDYT? |
I agree with that approach, lgtm |
|
@cjeanner rebase needed , then we're good to go |
Apply principle of least privilege to ArgoCD ClusterRole permissions and add automated CI validation to prevent future regressions.
RBAC Improvements:
Security Rationale:
CI Regression Prevention: