Comments (2)
You're correct in some regard, although it doesn't really have anything to do with kube-rbac-proxy. This is the case for any Prometheus pod that gets compromised, or even further, if credentials get compromised, then anyone can impersonate the entity the credentials were issued for. In regard to ServiceAccount tokens, there is one thing that improves the situation, which is audience scoped tokens. With those each token would have a scope, and they can only be used for exactly that scope, so if that token gets compromised, it can only do what it was issued for (essentially limiting blast radius).
Let me know if there is anything else I can answer :)
from kube-rbac-proxy.
Thanks @brancz, that helps :)
from kube-rbac-proxy.
Related Issues (20)
- Sig-Auth Pre-Acceptance 2nd Review HOT 10
- Cut a new release with golang version 1.20 HOT 3
- Add livenessProbe support for kube-rbac-proxy HOT 2
- Twistlock reporting CVE PRISMA-2022-0227 HOT 2
- kube-rbac-proxy failing authentication and authorization intermittently with error: HOT 2
- Option to output the logs as JSON HOT 1
- vulnerabilities on kube-rbac-proxy v0.14.2 HOT 2
- Image of kube-rbac-proxy new version (v0.14.3) wasn't pushed to quay.io repository HOT 4
- Failing to instantiate OIDC authenticator when --oidc-ca-file is not specified HOT 6
- vulnerabilities on kube-rbac-proxy v0.14.4 HOT 6
- Can they be friends --ignore-path and --allow-path? HOT 3
- CVE high security vulnerabilities found in image: quay.io/brancz/kube-rbac-proxy:v0.15.0 HOT 14
- Compability with new K8S versions HOT 2
- Can kube rbac proxy be used for kubeedge? HOT 3
- CVE vulnerabilities found for golang-runtime:1.20.4 (usr/local/bin/kube-rbac-proxy) HOT 3
- Multi Arch Image pulled from quay.io does not work in arm64/graviton nodes HOT 3
- 0.16 Image does not appear to be available HOT 3
- CVE-2023-47108 "Vulnerability detected affecting otelgrpc v0.42.0" found in kube-rbac-proxy v0.16.0 HOT 7
- [HELP] Trying to expose Hubble UI with kube-rbac-proxy HOT 3
- Request: Please make FIPS 140-2 compliant images available HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube-rbac-proxy.