Skip to content

fix(chart): rbac compliance checkbox for dnsendpoints/status#6442

Open
vflaux wants to merge 1 commit into
kubernetes-sigs:masterfrom
vflaux:fix_6434
Open

fix(chart): rbac compliance checkbox for dnsendpoints/status#6442
vflaux wants to merge 1 commit into
kubernetes-sigs:masterfrom
vflaux:fix_6434

Conversation

@vflaux
Copy link
Copy Markdown
Contributor

@vflaux vflaux commented May 16, 2026

What does it do ?

Restrict RBAC permissions for dnsendpoints/status resource to patch and update verbs.

Motivation

fix #6434

More

  • Yes, this PR title follows Conventional Commits
  • Yes, I added unit tests
  • Yes, I updated end user documentation accordingly

@k8s-ci-robot k8s-ci-robot requested a review from mloiseleur May 16, 2026 20:01
@k8s-ci-robot k8s-ci-robot requested a review from stevehipwell May 16, 2026 20:01
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels May 16, 2026
@coveralls
Copy link
Copy Markdown

coveralls commented May 16, 2026
edited
Loading

Coverage Report for CI Build 26063689081

Coverage remained the same at 80.638%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

Coverage Stats

Coverage Status
Relevant Lines: 21403
Covered Lines: 17259
Line Coverage: 80.64%
Coverage Strength: 1450.43 hits per line
💛 - Coveralls

@ivankatliarchuk
Copy link
Copy Markdown
Member

ivankatliarchuk commented May 16, 2026

Silly question, but worth to make it clear. What does removing * actually protect against?

Almost nothing in practice ;-). If the external-dns service account were compromised:

  • The attacker could already read dnsendpoints objects (including their status) via get/list/watch on the main resource
  • delete and create on a /status subresource are semantically meaningless in Kubernetes — the API server ignores or rejects them.
  • The only real reduction is blocking redundant get/list/watch on the status subresource path specifically - which gives no additional data beyond the main resource.

@ivankatliarchuk
Copy link
Copy Markdown
Member

ivankatliarchuk commented May 16, 2026

/retitle fix(chart): rbac compliance checkbox for dnsendpoints/status

@k8s-ci-robot k8s-ci-robot changed the title fix(chart): restrict rbac for dnsendpoints/status fix(chart): rbac compliance checkbox for dnsendpoints/status May 16, 2026
@ivankatliarchuk
Copy link
Copy Markdown
Member

ivankatliarchuk commented May 16, 2026

Probably patch is not required, but not too sure, needs testing

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 16, 2026
@vflaux
Copy link
Copy Markdown
Contributor Author

vflaux commented May 18, 2026

If a new verb were ever added, "*" would grant it. Afaik, that's why it's considered bad practice.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 18, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 18, 2026

New changes are detected. LGTM label has been removed.

@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 18, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from ivankatliarchuk. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mloiseleur mloiseleur Awaiting requested review from mloiseleur

@stevehipwell stevehipwell Awaiting requested review from stevehipwell

Assignees

@ivankatliarchuk ivankatliarchuk

Labels

chart cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Helm chart: RBAC Wildcard In Rule

4 participants

@vflaux @coveralls @ivankatliarchuk @k8s-ci-robot