Skip to Main Content

MongoByte MongoDB Logo

Welcome to the new MongoDB Feedback Portal!

{Improvement: "Your idea"}
We’ve upgraded our system to better capture and act on your feedback.
Your feedback is meaningful and helps us build better products.

Status Completed
Created by Guest
Created on May 4, 2021

Fine-tune RBAC rules for mongodb.com resources

Right now, the default RBAC rules for the mongodb-enterprise-operator role/clusterrole are: apiGroups: - mongodb.com resources: - mongodb - mongodb/finalizers - mongodb/status - mongodbusers - mongodbusers/status - opsmanagers - opsmanagers/finalizers - opsmanagers/status verbs: - "*" Available at https://github.com/mongodb/mongodb-enterprise-kubernetes/blob/b4c0a9b167f21114dc276cb163a1b207ae2f9359/helm_chart/templates/operator-roles.yaml#L90 This doesn't doesn't work well with privilege escalation because it won't work for service accounts that individually mention the allowed verbs. For example, my service account has permissions for everything (create, delete, deletecollection, get, list, patch, update, watch), but it fails with `(...) is attempting to grant RBAC permissions not currently held` because they are not equal to "*". The proposed change is converting it to: apiGroups: - mongodb.com resources: - mongodb - mongodb/finalizers - mongodb/status - mongodbusers - mongodbusers/status - opsmanagers - opsmanagers/finalizers - opsmanagers/status verbs: - create - delete - deletecollection - get - list - patch - update - watch
  • ADMIN RESPONSE
    Aug 1, 2025
    We have since fine-tuned the RBAC as much as possible. The updated RBAC requirements can be seen in https://github.com/mongodb/mongodb-enterprise-kubernetes/blob/master/mongodb-enterprise.yaml ( https://github.com/mongodb/mongodb-enterprise-kubernetes/blob/master/mongodb-enterprise.yaml )
  • Attach files