Summary
The Helm chart's ClusterRole has an overly broad rule that may be unnecessary:
- apiGroups: ["*"]
resources: ["deployments", "replicasets", "statefulsets", "daemonsets", "jobs", "cronjobs", "replicationcontrollers"]
# Required to retrieve the owner references used by the seccomp gadget.
verbs: ["get", "list", "watch", "create"]
Issues
apiGroups: ["*"] — Should be scoped to specific API groups (apps/v1, batch/v1, etc.)create verb — The comment says it's for "owner references used by the seccomp gadget" but micromize doesn't use a seccomp gadget. This may be copy-pasted from Inspektor Gadget and be unnecessary.- Principle of least privilege — A security tool should model minimal permissions.
What's Needed
- Audit which API permissions micromize actually uses
- Remove unnecessary verbs (
create if not needed)
- Scope
apiGroups to specific groups instead of wildcard
- Update the comment to explain why each permission is needed
Files
charts/micromize/templates/clusterrole.yaml
Summary
The Helm chart's ClusterRole has an overly broad rule that may be unnecessary:
Issues
apiGroups: ["*"]— Should be scoped to specific API groups (apps/v1,batch/v1, etc.)createverb — The comment says it's for "owner references used by the seccomp gadget" but micromize doesn't use a seccomp gadget. This may be copy-pasted from Inspektor Gadget and be unnecessary.What's Needed
createif not needed)apiGroupsto specific groups instead of wildcardFiles
charts/micromize/templates/clusterrole.yaml