|
|
|
|
|
|
by cassianoleal
1700 days ago
|
|
|
It is unclear whether this is a problem if you're running namespaced ingress-controllers though. This comment [0] in the bug report says: there's definitely an attack path that gets the ingress-nginx service account token, which has list rights on secrets at a cluster level (so allowing for all secret values to be retrieved).
I can't see how list permissions would allow retrieval of the secret value though. You'd need get permissions for that.[0] https://github.com/kubernetes/ingress-nginx/issues/7837#issu... |
|
|
I'm afraid not. HTTP GET on a collection endpoint (which is the operation represented by the list verb) returns the full object content.
https://kubernetes.io/docs/reference/access-authn-authz/auth...