[cassianoleal]

A user can have many permissions in his/her own namespace without compromising the other tenants. This sounds like it would allow any user with Ingress create/update access in any namespace to compromise secrets across all namespaces.

[cassianoleal]

It is unclear whether this is a problem if you're running namespaced ingress-controllers though. This comment [0] in the bug report says:

    there's definitely an attack path that gets the ingress-nginx service account token, which has list rights on secrets at a cluster level (so allowing for all secret values to be retrieved).

I can't see how list permissions would allow retrieval of the secret value though. You'd need get permissions for that.

[0] https://github.com/kubernetes/ingress-nginx/issues/7837#issu...

[xnxn]

> You'd need get permissions for that.

I'm afraid not. HTTP GET on a collection endpoint (which is the operation represented by the list verb) returns the full object content.

https://kubernetes.io/docs/reference/access-authn-authz/auth...

[cassianoleal]

Interesting, thanks for the reference. This is at best surprising, at worst sloppy security design IMO.