Subjects in clusterRoleBinding should be strict
dene14 opened this issue · comments
Denis Boulas commented
RBAC doesn't include realm name and authenticator right now, just a group in the realm, which may lead to collision if groups in different realms/authenticators named in the same way but should have different access privileges, for e.g. you have a group in Github Org named devs
and you also use another authenticator that has a group with the same name but including people those are not allowed to access.
Thus in order to avoid collision/leak subjects
in clusterRoleBinding should look like this:
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: Authenticator/Realm/GroupName