CVE Report on GE open source ClusterRole and Roles #8397
Labels
Needs Investigation
stale
Issues that are stale. These will not be prioritized without further engagement on the issue.
Type: Bug
Something isn't working
Gloo Edge Version
1.14.x (latest stable)
Kubernetes Version
None
Describe the bug
Hi team,
One of our customers reported some CVEs in their report.
They basically complain that the ClusterRole gloo/templates/20-namespace-clusterrole-gateway.yaml has some wildcards which are compromising security: The issue is... \nThe role uses wildcards, which grant the role permissions to the whole cluster\n\n The impact of this is... \n The use of wildcard rights grants is likely to provide excessive rights to the Kubernetes API.\n\n You can resolve this by... \nSet only the necessary permissions required
Another of the CVE analysis they got is from file gloo/templates/5-resource-cleanup-job.yaml whit the following info: This file contains a potential high severity misconfiguration affecting the ClusterRole. So the customer just wants to check if we can avoid using secrets in the Roles of this file.
This is the complete analysis:
Steps to reproduce the bug
Run CVE against open source Gloo Edge
Expected Behavior
Check if any of this CVEs can be avoided
Additional Context
No response
The text was updated successfully, but these errors were encountered: