Added permission to `manager-role` ClusterRole to update 'roles' by Ilyesbdlala · Pull Request #2078 · secureCodeBox/secureCodeBox

Ilyesbdlala · 2023-10-31T14:25:51Z

Description

closes Parser service account cannot get resource parsedefinitions #2003
in Upgraded amass to v4 #1864 (Commit) we added parsedefinitions get access to the parse_reconciler. That means in upgrading the operator. The parser role needed to be updated. However, The 'manager-role' does not permission to update roles.

Logs of Bug previous to fix:

1.6987528214331818e+09    INFO    controllers.execution.Scan    Matching ParseDefinition Found    {"scan_parse": "default/nikto-bodgeit", "ParseDefinition": "nikto-json"}
1.6987528214341886e+09    INFO    controllers.execution.Scan    Role already exists but not in the correct state
1.6987528214381618e+09    ERROR    controllers.execution.Scan    Failed to update Role    {"error": "roles.rbac.authorization.k8s.io \"parser\" is forbidden: User \"system:serviceaccount:securecodebox-system:securecodebox-operator\" cannot update resource \"roles\" in API group \"rbac.authorization.k8s.io\" in the namespace \"default\""}
github.com/secureCodeBox/secureCodeBox/operator/controllers/execution/scans.(*ScanReconciler).startParser
    /workspace/controllers/execution/scans/parse_reconciler.go:109
github.com/secureCodeBox/secureCodeBox/operator/controllers/execution/scans.(*ScanReconciler).Reconcile
    /workspace/controllers/execution/scans/scan_controller.go:102
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile
    /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:121
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
    /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:320
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
    /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:273
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
    /go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:234

@J12934 Adding permission to manager-role ClusterRole to update 'roles' fixes the issue. But does that have any unintended consequences ? Like some kind of privilege escalation. AFAIK, it's fine, since you can't give access you don't have.

netlify · 2023-10-31T14:25:58Z

✅ Deploy Preview for docs-securecodebox canceled.

Name	Link
🔨 Latest commit	`ecb237a`
🔍 Latest deploy log	https://app.netlify.com/sites/docs-securecodebox/deploys/654a0fc183ab7200080c9084

github-actions · 2023-10-31T14:30:10Z

🦙 MegaLinter status: ✅ SUCCESS

Descriptor	Linter	Files	Fixed	Errors	Elapsed time
✅ YAML	prettier	1		0	0.29s

See detailed report in MegaLinter reports
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by

Signed-off-by: Ilyes Ben Dlala <[email protected]>

J12934

from a secruity perspective i don't think this is a issue. it already had the right to create new roles, so allowing it to update roles isn't an issue.
Especially as you already said you can only do it for permission this service account has itself.

Ilyesbdlala added the bug Bugs label Oct 31, 2023

Ilyesbdlala self-assigned this Oct 31, 2023

Ilyesbdlala requested a review from J12934 October 31, 2023 14:26

#2003 Added permission to manager-role ClusterRole to update 'roles'

ecb237a

Signed-off-by: Ilyes Ben Dlala <[email protected]>

Ilyesbdlala force-pushed the bugfix/role-permission branch from 597a2c9 to ecb237a Compare November 7, 2023 10:21

J12934 approved these changes Nov 7, 2023

View reviewed changes

Ilyesbdlala merged commit c6b9b37 into main Nov 7, 2023

Ilyesbdlala deleted the bugfix/role-permission branch November 7, 2023 11:39

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Added permission to `manager-role` ClusterRole to update 'roles'#2078

Added permission to `manager-role` ClusterRole to update 'roles'#2078
Ilyesbdlala merged 1 commit intomainfrom
bugfix/role-permission

Ilyesbdlala commented Oct 31, 2023 •

edited

Loading

Uh oh!

netlify bot commented Oct 31, 2023 •

edited

Loading

Uh oh!

github-actions bot commented Oct 31, 2023 •

edited

Loading

Uh oh!

J12934 left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Ilyesbdlala commented Oct 31, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Uh oh!

netlify bot commented Oct 31, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for docs-securecodebox canceled.

Uh oh!

github-actions bot commented Oct 31, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🦙 MegaLinter status: ✅ SUCCESS

Uh oh!

J12934 left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Ilyesbdlala commented Oct 31, 2023 •

edited

Loading

netlify bot commented Oct 31, 2023 •

edited

Loading

github-actions bot commented Oct 31, 2023 •

edited

Loading