During a security review we noticed we have a service account called storage-version-migration-migrator-v2 that has cluster role bindings to the cluster-admin role.
By looking into the GKE version we were running (1.25) and latest versions in GKE (1.28.4-gke.1083000) we see the same binding in the latest version which led me to the following question:
Is a cluster-admin role needed for the kube-storage-version-migrator to fullfill it's purpose?
A good prievelege escalation using this security breach can be seen here
The cluster admin role is not specifically required for the storage version migrator to fulfill its purpose. The kube storage version is responsible for migrating the storage objects in kubernetes cluster from one version to another, during a cluster upgrade.The migrator primarily operates at the API level and requires specific permissions to access and modify storage-related resources like PV,PVC’s etc., While cluster admin role grants full control and access to all resources within the cluster which is considered as extreme and not recommended for regular operations.
However, a service account with sufficient privileges to read, modify, remove and create storage related resources will be necessary. The required permissions may include "watch", "get", "list", "patch". These permissions can be granted through a role-based access control configuration within kubernetes. But as per the github link, SVM operator only allows cluster-admin role and a request for a new role with only required permissions is under process.