The kiosk service account should use an explicit role

[moshloop]

It currently is using cluster-admin which should not be required

[FabianKramm]

@moshloop thanks for reporting this issue! I'm with you on this, but I'm not sure if we can go around cluster admin in terms of permissions within the cluster, because kiosk needs to be able to:

• Watch all types of resources in all namespaces for the account quota
• Create rolebindings for any cluster role as specified in the account.spec.space.clusterRole

I think limiting kiosk to a non cluster admin cluster role could prevent kiosk from fullfiling one of the above tasks in some cases.

[moshloop]

Watch all types of resources in all namespaces for the account quota

This can be defined as an explicit LIST only on '*', and READ on Pod based resources e.g. Kiosk doesn't need to read the contents of all secrets in all namespaces

Create rolebindings for any cluster role as specified in the account.spec.space.clusterRole

This is a security issue, I think Kiosk should be granted the cluster roles that it can assign, Granting access to everything by default including cluster scoped resources it doesn't need access to unnecessarily increases the security risk profile. If people want todo this, then it should be opt-in, not by default.

[FabianKramm]

@moshloop I agree on the first part, not so sure about the second. You are definitely not wrong about the broader security risk profile, however I think it is better to have a cluster-admin role assigned by default than a very restrictive role, because it is very hard to tell what roles you will want to assign to users up-front during the kiosk install process and it just makes it harder to test things initially. Rancher for example is doing it the same way. However, I'm not against encouraging users to restrict their kiosk cluster permissions and definitely willing to add more configuration options to the kiosk chart to reduce attack surface.