Use finegrained kubelet API authorization

[vinayakankugoyal]

Granting nodes/proxy with even the get verb can be used by attackers to gain privileges. This risk has been highlighted in the kubernetes documentation in https://kubernetes.io/docs/concepts/security/rbac-good-practices/#access-to-proxy-subresource-of-nodes and https://kubernetes.io/docs/concepts/security/api-server-bypass-risks/#kubelet-api and more recently in - https://grahamhelton.com/blog/nodes-proxy-rce.

We found the following instances of nodes/proxy being used in this repository

https://github.com/search?q=%22nodes%2Fproxy%22+repo%3Akubernetes-sigs%2Fblob-csi-driver&type=code

Please update the workloads to use fine-grained kubelet API authorization KEP and replace nodes/proxy with more fine-grained permissions. See this link for how to update your RBAC config.

[vinayakankugoyal]

cc @andyzhangx

[andyzhangx]

@vinayakankugoyal what actions need to do for this repo? do you have the link where permissions are not correctly set?

[liggitt]

removing the nodes/proxy permission from the manifest in deploy/example/metrics/prometheus-setup.yaml (or switching it to nodes/metrics if prometheus is talking directly to kubelets) is what we're looking for