You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If my understanding is correct, this service pulls images from a private Artifactory and performs assessments. Why does it need cluster-wide permissions to read secrets from other namespaces? This seems like a security issue.
In our use case, we use ArgoCD for deployments and do not allow other users (in this case, the team responsible for deploying this service) to create ClusterRole and ClusterRoleBinding resources. Am I missing something, could we simply use Role instead of ClusterRole?
kubectl auth can-i get secret --namespace=kube-system --as=system:serviceaccount:crowdstrike-falcon-io-shra:falcon-shra-executor
yes
The text was updated successfully, but these errors were encountered:
The Helm chart for falcon-self-hosted-registry-assessment is using cluster-wide permissions to read secrets:: https://github.com/CrowdStrike/falcon-helm/blob/main/helm-charts/falcon-self-hosted-registry-assessment/templates/executor-cluster-role.yaml.
If my understanding is correct, this service pulls images from a private Artifactory and performs assessments. Why does it need cluster-wide permissions to read secrets from other namespaces? This seems like a security issue.
In our use case, we use ArgoCD for deployments and do not allow other users (in this case, the team responsible for deploying this service) to create
ClusterRoleandClusterRoleBindingresources. Am I missing something, could we simply useRoleinstead ofClusterRole?The text was updated successfully, but these errors were encountered: