The built-in Azure role Azure Kube.netes Service RBAC Reader is described as:
Allows read-only access to see most objects in a namespace....
Then why does it allow the following action:
Microsoft.Resources/deployments/write
which is described as
Creates or updates an deployment.
How is this not a security issue?
There is two field you will be able to see if you open Kubernetes Cluster through a portal.
Microsoft.Resources
/deployments/write
this is not belongs to Azure Kubernetes Service RBAC Reader
Role. If you go to DataAction of RBAC Reader there no writes role. This Action belongs to Azure Kubernetes Service RBAC Write
Role. See the below Picture.
Note: Microsoft.Resources
contains Microsoft.ContainerService/managedCluster/apps
resource as well
Microsoft.Resources
/deployments/write
it has mention in Action Section not DataAction Section of Azure Kubernetes Service RBAC Reader Role.
It seems to me that this permission was added by mistake. See this Github issue :
The action "Microsoft.Resources/deployments/write" does not affect the k8s resources. Only data actions affect the k8s resources via Azure RBAC ie the permissions mentioned in the dataactions field. So it will not affect the Azure RBAC you set for the k8s resources in the cluster. The action "Microsoft.Resources/deployments/write" is usually added for built-in roles.
Two of the answers read,
[...] I will follow up that internally on removing that action. [...]
and
[...] we are working to see what "Write" permissions we can remove without breaking things [...]
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.