Effect of having `Nodes/Proxy` GET Permission in node-feature-discovery clusterrole

[dttung2905]

Describe the bug

Hi team, There has been an article posted online about how such permission can lead to potential RCE
https://grahamhelton.com/blog/nodes-proxy-rce
I found that we do have such permission here

gpu-operator/deployments/gpu-operator/charts/node-feature-discovery/templates/clusterrole.yaml

Lines 85 to 87 in a846cef

	- nodes/proxy
	verbs:
	- get

Is it safe to just delete this permission without affecting the current functionality of NFD?
If it is safe to do so, I can follow up with a PR to delete it

To Reproduce

Expected behavior

Environment (please provide the following information):

[cdesiniotis]

@dttung2905 I would recommend raising this question in https://github.com/kubernetes-sigs/node-feature-discovery as this is NFD's clusterrole object. Closing this issue as it does not have to do with gpu-operator.

[dttung2905]

Hi @cdesiniotis , thanks for the quick reply. I have asked the same question in the NFD repo. IIn my opinion, it is best to keep this issue open because the link I mention is in GPU-operator helm chart. Wdyt?

[cdesiniotis]

Sure, reopening this issue. We can close once we upgrade to a version of NFD that has a fix for kubernetes-sigs/node-feature-discovery#2424