Limit access for Karmada to certain resources in member cluster

[ritzdevp]

Please provide an in-depth description of the question you have:

When a member cluster is registered with Karmada, there is a secret in the member cluster associated with a service account, which is used as the impersonator secret in Karmada. This service account gives Karmada full access to the member cluster for all resources. Is there a way to limit the resources and verbs that Karmada can have access to in a member cluster?

What do you think about this question?:
My guess is that this can be controlled by modifying the ClusterRole in the member cluster that is associated with the service account whose secret is used by Karmada. But I am wondering if this feature is already offered in karmadactl.

Environment:

• Karmada version:
• Kubernetes version:
• Others:

[zhzhuang-zju]

My guess is that this can be controlled by modifying the ClusterRole in the member cluster that is associated with the service account whose secret is used by Karmada. But I am wondering if this feature is already offered in karmadactl.

@ritzdevp Currently, the permissions for the Karmada control plane to access the resources of member clusters cannot be configured.
Are you looking to this feature out of security considerations?

[NickYadance]

Karmada will create two SA in member cluster, karmada-impersonator and karmada-controller-manager:karmada-<cluster>, the first one is used by karmada apiserver to impersonate the admin in member cluster(correct me if wrong), and the second one is used by karmada controller manager. These two both have BIG permissions, and can bring some security issues.

I think you can modify clusterroles of both SA, to limit what karmada can do to the member cluster, but it will be hard to tell which RBAC karmada needs. Maybe we need a minimal privilege set to keep karmada core functioning as normal, and user can add privelleges based on that, to avoid super admin security issue.