Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ServiceBinding controller should not use servicebinding.io/controller: "true" for non-provisioned service rbac #238

Closed
Samze opened this issue Jun 7, 2022 · 1 comment · Fixed by #239
Closed

ServiceBinding controller should not use servicebinding.io/controller: "true" for non-provisioned service rbac #238

Samze opened this issue Jun 7, 2022 · 1 comment · Fixed by #239
Assignees
@rashedkvm
Labels
bug Something isn't working
Milestone
0.7.2

Comments

@Samze
Copy link
Contributor

Samze commented Jun 7, 2022
edited
Loading

Bug description

The ServiceBinding controller currently relies on the spec ClusterRole label servicebinding.io/controller: "true" to aggregate non-provisionedservice RBAC to the controller manager. See deployed config here.

The means any system that also aggregates on servicebinding.io/controller: "true" will pick up the internal RBAC for this controller. This also includes write permissions such as create/delete/update.

Expected behavior

That servicebinding.io/controller: "true" is only used for ProvisionedService types and should only contain get/list/watch.
@Samze Samze added the bug Something isn't working label Jun 7, 2022
@atmandhol atmandhol added this to the 0.7.2 milestone Jun 8, 2022
@rashedkvm
Copy link
Member

rashedkvm commented Jun 8, 2022
edited
Loading

Creating a new cluster role with label selector servicebinding.io/controller: "true" for get, list, and watch.

@rashedkvm rashedkvm self-assigned this Jun 8, 2022
@rashedkvm rashedkvm mentioned this issue Jun 9, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rashedkvm rashedkvm

Labels
bug Something isn't working
Projects
None yet
Milestone
0.7.2
3 participants
@Samze @atmandhol @rashedkvm