CVE: RBAC Roles for etcd created by Kamaji are not disjunct

[prometherion]

Publicly sharing a CVE in which all versions of Kamaji are affected: GHSA-6r4j-4rjc-8vw5

This CVE affects all installations with the following conditions:

• Tenant Control Planes backed by etcd
• running more Tenant Control Plane in the same Datastore
• users being able to modify their Tenant Control Plane managed resources or being able to use the etcd certificates to spin up a connection to the Datastore and potentially extract the other Tenants' name

Although the perimeter of the CVE is pretty narrow we ranked the CVE as HIGH.

CLASTIX is the company maintaining and keeping Kamaji Open Source: since v1.0.0 we don't offer any more stable release artefacts. If you're running in production we strongly suggest you consider buying a commercial license which provides:

• support
• features prioritisation
• CVE remediation plan
• private office hours
• stable Helm Chart and Container images

You can learn more from CLASTIX website support page

A special kudo to @SimonKienzler for discovering this CVE and providing help in designing a remediation for it! 🎉