Skip to content

Operator ClusterRole grants CRUD on roles/rolebindings cluster-wide #358

New issue
New issue
Open
Open
Operator ClusterRole grants CRUD on roles/rolebindings cluster-wide#358
Labels
security
@raballew

Description

@raballew
raballew
opened on Mar 19, 2026

Description

The operator ClusterRole at config/rbac/role.yaml:199-211 grants full CRUD on roles and rolebindings cluster-wide. A compromised operator can grant arbitrary permissions in any namespace.

Suggested Fix

  • Scope to operator's own namespace or use aggregated ClusterRoles
  • Remove cluster-wide CRUD on roles/rolebindings

Metadata

Metadata

Assignees

No one assigned

    Labels

    security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions