Fine-tune RBAC rules for mongodb.com resources
Right now, the default RBAC rules for the mongodb-enterprise-operator role/clusterrole are:
apiGroups:
- mongodb.com
resources:
- mongodb
- mongodb/finalizers
- mongodb/status
- mongodbusers
- mongodbusers/status
- opsmanagers
- opsmanagers/finalizers
- opsmanagers/status
verbs:
- "*"
This doesn't doesn't work well with privilege escalation because it won't work for service accounts that individually mention the allowed verbs.
For example, my service account has permissions for everything (create, delete, deletecollection, get, list, patch, update, watch), but it fails with (...) is attempting to grant RBAC permissions not currently held
because they are not equal to "*".
The proposed change is converting it to:
apiGroups:
- mongodb.com
resources:
- mongodb
- mongodb/finalizers
- mongodb/status
- mongodbusers
- mongodbusers/status
- opsmanagers
- opsmanagers/finalizers
- opsmanagers/status
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
We have since fine-tuned the RBAC as much as possible.
The updated RBAC requirements can be seen in https://github.com/mongodb/mongodb-enterprise-kubernetes/blob/master/mongodb-enterprise.yaml