KEDA Operator Get All Access

[alexanderkevin]

Hi All,

I want to do a quick check before using KEDA on production. Notice that the Cluster role for KEDA Operator has given get access to all api groups and resources
https://github.com/kedacore/charts/blob/main/keda/templates/manager/clusterrole.yaml#L41-L46

- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get

is there any particular reason for this or do we have a list of mandatory GET access that we can fine grained

Thanks

[tomkerkhove]

@zroubalik @JorTurFer Do you know why this is the case? Likely this is not intentional

[zroubalik]

The reason is for KEDA to be able to scale any CustomResource. If you know what set of resources are you gonna scale, you can modify the role.

[JorTurFer]

So, should we document how to update the role for yaml users and support it in helm?

[zroubalik]

Yes, definitely!

[IsuruBoyagane15]

A quick check;
If I am going to scale only "deployment" resources using KEDA, replacing the rule with

- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get"]

would be the solution, right?

[JorTurFer]

I think so

[joebowbeer]

@zroubalik @JorTurFer Any update on this?

I installed the helm chart v2.13.1 with all secret restrictions enabled

  permissions:
    operator:
      restrict:
        secret: true
    metricServer:
      restrict:
        secret: true

but keda-operator still has "get" access to all secrets by way of this permissive rule in the keda-operator ClusterRole:

- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get

kubectl auth can-i get secrets --as=system:serviceaccount:keda:keda-operator
yes

I think the documentation for the restrict fields is misleading, as it implies that access to secrets will be (completely) restricted.

It would be helpful if the docs explained how to finish the job.

[JorTurFer]

- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get

This permission is required because KEDA can potentially work with any resource which implements /scale, so it needs that permission for working. The filter is done inside the code at some different levels:

• at logic level, we don't read the secret: https://github.com/kedacore/keda/blob/main/pkg/scaling/resolver/scale_resolvers.go#L402
• at client level, we register the secret lister namespace: https://github.com/kedacore/keda/blob/main/cmd/operator/main.go#L210

To avoid the * , you can update that permission adding the other permissions required for your workloads, if you just use Deployments, replacing it with

- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get"]

as suggested above (or any other workload resource)

Given that, I think that this can be a good improvement to docs, are you willing to open a PR clarifying it?

[joebowbeer]

I'm creating two issues:

1. Incomplete restrict secret access description keda-docs#1307
2. Incomplete restrict secret permissions description charts#605

[JorTurFer]

Let me move my comment there to track it too

[joebowbeer]

See recent changes kedacore/charts#625