Headline
GHSA-w54x-r83c-x79q: Pepr Has Overly Permissive RBAC ClusterRole in Admin Mode
Severity: LOW Target: /workspace/pepr/src/lib/assets/rbac.ts Endpoint: Kubernetes RBAC configuration Method: Deployment
Response / Rationale
Pepr defaults to rbacMode: "admin" because the initial experience is designed to be frictionless for new users. This mode ensures that users can deploy and run the default hello-pepr.ts module without needing to understand or pre-configure RBAC rules.
It’s important to note that hello-pepr.ts is intended strictly as a demo to showcase Pepr features and workflow. It is not intended for production use, and the documentation explicitly calls out that admin RBAC should not be used in production environments.
That said, if a user skips the documentation and does not review the npx pepr build options, they could deploy a module with broader privileges than necessary.
We consider this low severity because Pepr is a framework: the module author is ultimately responsible for selecting the appropriate RBAC scope for their module and environment as each module has different RBAC needs and requirements.
Our security focus is on ensuring the Pepr controller and runtime components operate securely within Kubernetes, while still allowing developers the flexibility to build modules with the access they require.
In order to fix this we will warn the user in logs that the default ClusterRole is cluster-admin and that it is not recommended for production.
How this can be exploited
This vulnerability can be exploited by doing a build and deploying your Pepr module with cluster-admin role instead of using npx pepr build --rbac-mode=scoped.
Severity: LOW
Target: /workspace/pepr/src/lib/assets/rbac.ts
Endpoint: Kubernetes RBAC configuration
Method: Deployment
Response / Rationale
Pepr defaults to rbacMode: “admin” because the initial experience is designed to be frictionless for new users. This mode ensures that users can deploy and run the default hello-pepr.ts module without needing to understand or pre-configure RBAC rules.
It’s important to note that hello-pepr.ts is intended strictly as a demo to showcase Pepr features and workflow. It is not intended for production use, and the documentation explicitly calls out that admin RBAC should not be used in production environments.
That said, if a user skips the documentation and does not review the npx pepr build options, they could deploy a module with broader privileges than necessary.
We consider this low severity because Pepr is a framework: the module author is ultimately responsible for selecting the appropriate RBAC scope for their module and environment as each module has different RBAC needs and requirements.
Our security focus is on ensuring the Pepr controller and runtime components operate securely within Kubernetes, while still allowing developers the flexibility to build modules with the access they require.
In order to fix this we will warn the user in logs that the default ClusterRole is cluster-admin and that it is not recommended for production.
How this can be exploited
This vulnerability can be exploited by doing a build and deploying your Pepr module with cluster-admin role instead of using npx pepr build --rbac-mode=scoped.
References
- GHSA-w54x-r83c-x79q
- https://github.com/defenseunicorns/pepr/releases/tag/v1.0.4