Skip to content

Audit and tighten ClusterRole RBAC permissions #57

Open
Open
Audit and tighten ClusterRole RBAC permissions#57
Labels
researchResearch and design decisions neededsecuritySecurity improvements
@dorser

Description

@dorser
dorser
opened on Feb 17, 2026

Summary

The Helm chart's ClusterRole has an overly broad rule that may be unnecessary:

- apiGroups: ["*"]
  resources: ["deployments", "replicasets", "statefulsets", "daemonsets", "jobs", "cronjobs", "replicationcontrollers"]
  # Required to retrieve the owner references used by the seccomp gadget.
  verbs: ["get", "list", "watch", "create"]

Issues

  1. apiGroups: ["*"] — Should be scoped to specific API groups (apps/v1, batch/v1, etc.)
  2. create verb — The comment says it's for "owner references used by the seccomp gadget" but micromize doesn't use a seccomp gadget. This may be copy-pasted from Inspektor Gadget and be unnecessary.
  3. Principle of least privilege — A security tool should model minimal permissions.

What's Needed

  1. Audit which API permissions micromize actually uses
  2. Remove unnecessary verbs (create if not needed)
  3. Scope apiGroups to specific groups instead of wildcard
  4. Update the comment to explain why each permission is needed

Files

  • charts/micromize/templates/clusterrole.yaml

Metadata

Metadata

Assignees

No one assigned

    Labels

    researchResearch and design decisions neededsecuritySecurity improvements

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions