Config to turn-off Trigger's namespaced SA impersonation #679
Comments
|
/kind question |
tekton-robot
added
the
kind/question
Can you elaborate on this? Is it that one user can in theory create a EL with a serviceAccountName that they might not have access to? In that case, how is it different from the Pipelines scenario where a user can create a Taskrun with a SA they don't have access to. In the Triggers sceanrio, all that a user can do is create a PipelineRun/TaskRun while in Pipelines, the user can actually run arbitrary code? |
|
I’m totally fine with the ability for an EL to impersonate an SA “in the same namespace”. Anyone who can create a pod via TaskRun, Job, StatefulSet, etc can do that today. My concern is about the Trigger’s ability to impersonate an SA “in another namespace” . That is a cluster-wide super power and something no other built-in k8 CRD allows. I would consider removing this ability as I believe it is a mis-feature but at the very least let configure the feature off as it’s a security hazard. |
Is there a config parameter or someway to prevent users from using the feature that let's cross-namespace SA impersonation. This is very hard to secure and let's anyone who has privs to create an EventListener in one namespace the ability to impersonate any other user in any namespace like a cluster admin and steal their credentials. Am I misunderstanding this or is there a feature flag to turn this off?
The text was updated successfully, but these errors were encountered: