Impact

Users of the Tekton Dashboard Tutorial may not be aware that the Tekton Dashboard in the tutorial is deployed in read/write mode. The read/write mode grants the ability to create PipelineRuns in the cluster, which have the same privileges as those of the ServiceAccount specified for the execution of the PipelineRun.

This may include, depending on the setup of the cluster where Tekton is hosted, running privileged Pods.

Patches

There's no software change required for this security advisory. This is an intentional feature of Dashboard.

The Tekton Dashboard Tutorial will be updated to call out that read/write mode is applied for the purposes of the tutorial, and to include links to resources that can be used to tune the deployment of Tekton.

Workarounds

Tekton Dashboard install documentation is available today, users may refer to that to decide on how to install the Dashboard.

In particular, users should refer to Access Control docs for how to configure authentication for their deployments.

References

• Tekton Dashboard Tutorial: tekton.dev/docs/dashboard/tutorial
• Tekton Dashboard Install Docs: tekton.dev/docs/dashboard/install

For more information

If you have any questions or comments about this advisory:

• Open an issue in tektoncd/dashboard
• Reach out in Slack in the #dashboard channel
• Email us at [email protected]