Restrict Cluster Role access authorizations #10669
Labels
bug
Something isn't working
Comments
|
I accidentally submitted the issue in the wrong Opentelemetry repository. For this reason, I am closing this issue and create a new issue: open-telemetry/opentelemetry-operator#3156 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Context
Our current setup utilizes the OpenTelemetry Operator for application tracing. This operator is deployed through a Helm Chart. However, the Trivy scanner identifies that the operator has broad permissions via the Kubernetes ClusterRole.
Issue
Based on my understanding, the OpenTelemetry Operator's current permissions allow it to delete various Kubernetes resources like pods, services, and service accounts. This level of access seems unnecessary for the operator's intended functionality.
The RBAC are generated via go maker comments. The most relevant ones are on the
OpenTelemetryCollectorReconcilerstruct in theReconcilefunction.Suggestion
For more granular access, define for each required Kubernetes kind access via
+kubebuilder:rbacand do not group them in a comment marker.Hint
As these are cluster roles, this applies to all namespaces.
Version
Helm Chart v0.58.2
The text was updated successfully, but these errors were encountered: