Alloy chart should not give itself cluster-wide secret read permissions by default #2224
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What's wrong?
This is a stronger variant of this issue, defining the problem as a bug rather than a feature request.
My assertion is that a helm chart should not blithely give itself permission to read all secrets across a cluster. As far as I can tell, this access level exists in order to make the remote.kubernetes.secret component "just work," but that is a component that in my view shouldn't "just work" without an explicit opt-in to exposing secrets. The documentation for this component should be updated to reflect that RBAC permissions must be given to the alloy service account to read any secrets that are to be exposed with this component. The feature enhancement requested above, if provided, should meet the opt-in need rather than enable opting out.
Unfortunately, the feature provided by grafana/k8s-monitoring-helm#224 in the k8s-monitoring chart relies on these extremely elevated default permissions, so fixing this will require breaking that chart. I will file an issue there and cross-reference it here.
Steps to reproduce
Install the chart configured with a remote.kubernetes.secret component for any secret in the cluster. Alloy will be able to read the secret without any explicit opt-in by the secret owner.
System information
No response
Software version
No response
Configuration
Logs
The text was updated successfully, but these errors were encountered: