GHSA-7M6V-Q233-Q9J9 Minio Operator uses Kubernetes apiserver audience for AssumeRoleWithWebIdentity STS

Prevent token leakage / privilege escalation MinIO Operator STS: A Quick Overview MinIO Operator STS is a native IAM Authentication for Kubernetes. MinIO Operator offers support for Secure Tokens (a.k.a. STS) which are a form of temporary access credentials for your MinIO Tenant. In essence, this allows you to control access to your MinIO tenant from your applications without having to explicitly create credentials for each application. For an application to gain access into a MinIO Tenant, a PolicyBinding resource is required, granting explicit access to the applications by validating the kubernetes Service Account authorization token. The service account token is validated as follows: The application calls AssumeRoleWithWebIdentity API MinIO Operator provides. MinIO Operator verifies the Service Account token agains the kubernetes API using the TokenReview API MinIO Operator reviews the TokenReviewResult confirms if the token is a valid token and the user is authenticated. MinIO Operator validates the service account has PolicyBinding in the Tenant namespace. MinIO Operator gets the PolicyBinding MinIO Operator calls the AssumeRole API in the MinIO Tenant MinIO Operator obtains temporary credentials (STS). MinIO Operator return temporary Credentials to the requester application. The applicaiton consumes Object Storage using the temporary credentials. Understanding Audiences in Kubernetes TokenReview In step 2 the TokenReview API call attempts to authenticate a token…Read More