Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Summer OSPP 2024] Karmada Component RBAC Privilege Minimization #5182

Closed
5 tasks done
zhzhuang-zju opened this issue Jul 12, 2024 · 2 comments
Closed
5 tasks done

[Summer OSPP 2024] Karmada Component RBAC Privilege Minimization #5182

zhzhuang-zju opened this issue Jul 12, 2024 · 2 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Milestone

Comments

@zhzhuang-zju
Copy link
Contributor

zhzhuang-zju commented Jul 12, 2024

What would you like to be added:
Karmada (Kubernetes Armada) is a Kubernetes management system that enables you to run cloud-native applications in multiple Kubernetes clusters and cloud platforms without changing the application. By using Kubernetes native APIs and providing advanced scheduling capabilities, Karmada implements truly open, multi-cloud Kubernetes.

Karmada project uses RBAC authentication to regulate control access to computer or network resources. If too much resource object access is assigned when configuring RBAC it can lead to privilege abuse to the point where an attacker extends the battle and penetrates the cluster. If too little access to resource objects is assigned when configuring RBAC, it can lead to component functionality anomalies.

Therefore, we plan to sort out the minimum set of RBAC permissions required for Karmada components, amend the current recommended RBAC configuration for Karmada bins to be in line with the RBAC Least Privilege Principle, and ultimately use it to guide Karmada users in configuring RBAC permissions for Karmada components.

Project link
https://summer-ospp.ac.cn/org/prodetail/245c40153?list=org&navpage=org

Parts of
#4879

tasks

website:

OutPuts
A Guidance Document: Karmada Component Minimum RBAC Privilege Set
Function Implementation: Karmada Component RBAC Privilege Minimization
Test Coverage: Writing test cases to cover the added functionality

@zhzhuang-zju zhzhuang-zju added the kind/feature Categorizes issue or PR as related to a new feature. label Jul 12, 2024
@zhzhuang-zju
Copy link
Contributor Author

/assign @B1F030

@karmada-bot
Copy link
Collaborator

@zhzhuang-zju: GitHub didn't allow me to assign the following users: B1F030.

Note that only karmada-io members with read permissions, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

/assign @B1F030

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
Status: No status
Development

No branches or pull requests

3 participants