From 5e7725700704cb2651ee325bba368708f4fba87c Mon Sep 17 00:00:00 2001
From: Ben Langfeld <ben@langfeld.me>
Date: Sat, 13 Jul 2019 11:17:08 -0300
Subject: [PATCH] Document known RBAC vulnerability

---
 docs/security.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/security.md b/docs/security.md
index f5a28889..8a124cd4 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -34,6 +34,8 @@ Kubernetes API permissions are limited by the following roles:
 - [jenkins-operator role](../deploy/role.yaml)  
 - [Jenkins Master role](../pkg/controller/jenkins/configuration/base/resources/rbac.go)
 
+Since **jenkins-operator** must be able to grant permission for its' deployed Jenkins masters to spawn pods (the `Jenkins Master role` above), the operator itself requires permission to create RBAC resources (the `jenkins-operator role` above). Deployed this way, any subject which may create a Pod (including a Jenkins job) may assume the `jenkins-operator` role by using its' ServiceAccount, create RBAC rules, and thus escape its granted permissions. Any namespace to which the `jenkins-operator` is deployed must be considered to implicitly grant all possible permissions to any subject which can create a Pod in that namespace.
+
 ## Report a Security Vulnerability
 
 If you find a vulnerability or any misconfiguration in Jenkins, please report it in the [issues](https://github.com/jenkinsci/kubernetes-operator/issues).