Skip to content

block-impersonating-serviceaccounts#3372

Merged
google-oss-prow[bot] merged 1 commit into
masterfrom
block-impersonating-serviceaccounts
Mar 1, 2026
Merged

block-impersonating-serviceaccounts#3372
google-oss-prow[bot] merged 1 commit into
masterfrom
block-impersonating-serviceaccounts

Conversation

@juliusvonkohout

@juliusvonkohout juliusvonkohout commented Mar 1, 2026

Copy link
Copy Markdown
Member

@juliusvonkohout
block-impersonating-serviceaccounts
5d055ec 
block-impersonating-serviceaccounts

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 1, 2026 10:34
Copilot AI reviewed Mar 1, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes the impersonate verb on core serviceaccounts from the Kubeflow aggregated ClusterRole rules, preventing Kubeflow roles from being able to impersonate ServiceAccounts.

Changes:

  • Removed RBAC rule granting impersonate on serviceaccounts from kubeflow-kubernetes-edit ClusterRole rules.

@juliusvonkohout

juliusvonkohout commented Mar 1, 2026

Copy link
Copy Markdown
Member Author

/approve

@google-oss-prow

google-oss-prow Bot commented Mar 1, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: juliusvonkohout

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tarekabouzeid

tarekabouzeid commented Mar 1, 2026

Copy link
Copy Markdown
Member

/lgtm

@google-oss-prow google-oss-prow Bot added the lgtm label Mar 1, 2026
@google-oss-prow google-oss-prow Bot merged commit ce9d368 into master Mar 1, 2026
16 checks passed
@google-oss-prow google-oss-prow Bot deleted the block-impersonating-serviceaccounts branch March 1, 2026 11:03
@sendorrr

sendorrr commented Mar 1, 2026

Copy link
Copy Markdown

Thank you for addressing and merging the fix.
Given that this change removes the ability to impersonate ServiceAccounts due to an RBAC misconfiguration, could you please confirm whether a CVE will be requested for this issue?
Additionally, please let me know how reporter credit will be handled in the advisory.
Thank you.

Raakshass added a commit to Raakshass/manifests that referenced this pull request Mar 27, 2026
@Raakshass
block-impersonating-serviceaccounts (kubeflow#3372)
b0b550a 
block-impersonating-serviceaccounts

Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kimwnasptd kimwnasptd Awaiting requested review from kimwnasptd

@tarekabouzeid tarekabouzeid Awaiting requested review from tarekabouzeid

Assignees

@tarekabouzeid tarekabouzeid

Labels

approved lgtm size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@juliusvonkohout @tarekabouzeid @sendorrr