Review and Restrict Kubernetes Resource Permissions

[amanpruthi]

We have received concerns regarding the breadth of permissions granted to certain Kubernetes resources within our clusters. To enhance security and ensure the principle of least privilege, we need to evaluate and adjust these permissions to be strictly necessary for the operational requirements of our applications.

Objectives:

• Audit Current Permissions: Conduct a thorough review of all Kubernetes resources to identify and document current permissions in the github issue.
• Define Necessary Permissions: Establish the minimal permissions required for each resource to function effectively.
• Implement Namespace Scoping: Where applicable, adjust permissions to limit their scope to specific namespaces, reducing the potential impact of compromised resources.
• Update Documentation: Ensure that all changes and the rationale behind permissions levels are well-documented.

Outcomes

he permissions of Kubernetes resources will be minimized to what is essential for their operation, enhancing our cluster's security posture. Namespace-specific scoping will be applied where beneficial, providing an additional layer of containment and control.

Examples:

• https://github.com/wandb/helm-charts/blob/main/charts/operator-wandb/charts/console/templates/clusterrole.yaml

{{- if .Values.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "console.fullname" . }}
  namespace: {{ $.Release.Namespace }}
  labels:
    {{- include "wandb.commonLabels" . | nindent 4 }}
    {{- include "console.commonLabels" . | nindent 4 }}
    {{- include "console.labels" . | nindent 4 }}
    {{- if .Values.clusterRole.labels -}}
    {{-   toYaml .Values.clusterRole.labels | nindent 4 }}
    {{- end }}
  annotations:
    {{- if .Values.clusterRole.annotations -}}
    {{-   toYaml .Values.clusterRole.annotations | nindent 4 }}
    {{- end }}
rules:
  # We can scope these permissions down later
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
{{- end }}

• https://github.com/wandb/helm-charts/blob/main/charts/operator/values.yaml#L31

clusterRole:
  rules:
    - apiGroups: ["*"]
      resources: ["*"]
      verbs: ["*"]

• Can we maybe parameterize these permissions so we can scope them to specfic namespace

Operator

• https://github.com/wandb/operator/tree/main
• https://github.com/wandb/operator/blob/main/controllers/weightsandbiases_controller.go#L233
• https://github.com/wandb/operator/blob/main/pkg/helm/chart.go#L118 - whateverer permissions are required to apply a helm chart to the cluster, so probably writes
• https://github.com/wandb/operator/blob/main/pkg/wandb/spec/state/secrets/secrets.go#L27 - probably just read and write to secrets
• https://github.com/wandb/operator/blob/main/pkg/utils/kubeclient/kubeclient.go most of our interactions with k8s are through these functions. You should search and see what objects are being passed in