There are a handful of apps that need operators (e.g. databases). For the rest, please, please provide an option to deploy from static manifests. If a component requests permissions to create RBAC cluster roles and bindings, how can a security reviewer reasonably assess that?
-
-
Prikaži ovu nitHvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Like anything else they need to be written right. A properly designed and documented operator can be a big plus for security (ie az your pipeline to just a update a cr instead of a deployment or secret or...)
-
The biggest issue I see with most operator designs are : 1. Cluster scoped 2. Constant elevated privs when not needed 3. Lack of appreciation for overlapping layers of security (ive heard "we have rbac so we don't need to worry about serialization attacks more then once)
- Još 1 odgovor
Novi razgovor -
-
-
This is exactly why CoreOS and Red Hat have been trying to build a framework around operators. Once you have a bunch of them you realize how painful all of this is.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
I like kind or other disposable clusters for this. Since it makes the comparison easier. I know what the baseline looks like before applying.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
OTOH you need to assign a ServiceAccount to your operator, and this SA has access to a certain SCC, and this SCC will tell you which permissions the operator has. To me this is pretty transparent, or am I missing something?
-
Your operator can create SAs, role bindings, etc. Where that happens can be simple (YAML manifests), or deep in golang code...
- Još 1 odgovor
Novi razgovor -
-
-
great point. I’ve seen similar “confused deputy” attacks in admission webhooks as well, e.g. trusting annotation/label
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
I remember mentioning this during my interview for my current job. I obviously didn't go through all the details (because I don't know them haha), but it was an interesting case study. Glad to read this! (Lurkers: I don't work in security, but needed to know some basics
).Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
`Kubectl logs kube-apiserver -c webhook`
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.