VYPR
← All advisories
High severity8.8GHSA Advisory· Published Nov 12, 2025· Updated Apr 15, 2026

CVE-2025-2843

CVE-2025-2843

Description

A flaw was found in the Observability Operator. The Operator creates a ServiceAccount with *ClusterRole* upon deployment of the *Namespace-Scoped* Custom Resource MonitorStack. This issue allows an adversarial Kubernetes Account with only namespaced-level roles, for example, a tenant controlling a namespace, to create a MonitorStack in the authorized namespace and then elevate permission to the cluster level by impersonating the ServiceAccount created by the Operator, resulting in privilege escalation and other issues.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/rhobs/observability-operatorGo
< 1.3.01.3.0

Affected products

1

Patches

1
98b927fab755

fix: add CreateClusterRoleBindings field to MonitoringStack

https://github.com/rhobs/observability-operatorJan FajerskiSep 25, 2025via ghsa
commit
5 files changed · +89 1
  • bundle/manifests/monitoring.rhobs_monitoringstacks.yaml+18 0 modified
    @@ -113,6 +113,24 @@ spec:
                     - privateKey
                     type: object
                 type: object
+              createClusterRoleBindings:
+                default: CreateClusterRoleBindings
+                description: |-
+                  CreateClusterRoleBindings for a Monitoring Stack Resource
+                  If a NamespaceSelector is given, the controller can create a
+                  ClusterRoleBinding for the Prometheus and Alertmanager
+                  ServiceAccounts. This allows the
+                  ServiceAccount access to all namespaces, allowing the
+                  ServiceDiscovery to work across namespaces out of the
+                  box. However by impersonating this ServiceAccount a user could elevate
+                  their access in unintended ways.
+                  To avoid this set CreateClusterRoleBindings to NoClusterRoleBindings. Note
+                  that admins must create the needed namespaced RoleBindings manually
+                  so that endpoint discovery works as expected.
+                enum:
+                - CreateClusterRoleBindings
+                - NoClusterRoleBindings
+                type: string
               logLevel:
                 default: info
                 description: Loglevel set log levels of configured components
  • bundle/manifests/observability-operator.clusterserviceversion.yaml+1 1 modified
    @@ -42,7 +42,7 @@ metadata:
     categories: Monitoring
     certified: "false"
     containerImage: observability-operator:1.2.0
-    createdAt: "2025-09-12T10:59:26Z"
+    createdAt: "2025-09-29T09:26:51Z"
     description: A Go based Kubernetes operator to setup and manage highly available
       Monitoring Stack using Prometheus, Alertmanager and Thanos Querier.
     operatorframework.io/cluster-monitoring: "true"
  • deploy/crds/common/monitoring.rhobs_monitoringstacks.yaml+18 0 modified
    @@ -113,6 +113,24 @@ spec:
                     - privateKey
                     type: object
                 type: object
+              createClusterRoleBindings:
+                default: CreateClusterRoleBindings
+                description: |-
+                  CreateClusterRoleBindings for a Monitoring Stack Resource
+                  If a NamespaceSelector is given, the controller can create a
+                  ClusterRoleBinding for the Prometheus and Alertmanager
+                  ServiceAccounts. This allows the
+                  ServiceAccount access to all namespaces, allowing the
+                  ServiceDiscovery to work across namespaces out of the
+                  box. However by impersonating this ServiceAccount a user could elevate
+                  their access in unintended ways.
+                  To avoid this set CreateClusterRoleBindings to NoClusterRoleBindings. Note
+                  that admins must create the needed namespaced RoleBindings manually
+                  so that endpoint discovery works as expected.
+                enum:
+                - CreateClusterRoleBindings
+                - NoClusterRoleBindings
+                type: string
               logLevel:
                 default: info
                 description: Loglevel set log levels of configured components
  • docs/api.md+20 0 modified
    @@ -96,6 +96,26 @@ MonitoringStackSpec is the specification for desired Monitoring Stack
             <i>Default</i>: map[disabled:false]<br/>
         </td>
         <td>false</td>
+      </tr><tr>
+        <td><b>createClusterRoleBindings</b></td>
+        <td>enum</td>
+        <td>
+          CreateClusterRoleBindings for a Monitoring Stack Resource
+If a NamespaceSelector is given, the controller can create a
+ClusterRoleBinding for the Prometheus and Alertmanager
+ServiceAccounts. This allows the
+ServiceAccount access to all namespaces, allowing the
+ServiceDiscovery to work across namespaces out of the
+box. However by impersonating this ServiceAccount a user could elevate
+their access in unintended ways.
+To avoid this set CreateClusterRoleBindings to NoClusterRoleBindings. Note
+that admins must create the needed namespaced RoleBindings manually
+so that endpoint discovery works as expected.<br/>
+          <br/>
+            <i>Enum</i>: CreateClusterRoleBindings, NoClusterRoleBindings<br/>
+            <i>Default</i>: CreateClusterRoleBindings<br/>
+        </td>
+        <td>false</td>
       </tr><tr>
         <td><b>logLevel</b></td>
         <td>enum</td>
  • pkg/apis/monitoring/v1alpha1/types.go+32 0 modified
    @@ -52,6 +52,23 @@ const (
 	Error LogLevel = "error"
 )
 
+// +kubebuilder:validation:Enum=CreateClusterRoleBindings;NoClusterRoleBindings
+type ClusterRoleBindingPolicy string
+
+const (
+	// CreateClusterRoleBindings instructs the MonitoringStack to create the
+	// default ClusterRoleBindings if a NamespaceSelector is present. Note that
+	// this allows user who can access the Prometheus or Alertmanager
+	// ServiceAccounts to possibly elevate their priviledges.
+	CreateClusterRoleBindings ClusterRoleBindingPolicy = "CreateClusterRoleBindings"
+
+	// NoClusterRoleBindings instructs the MonitoringStack controller to _not_
+	// create any ClusterRoleBindings. If the MonitoringStack is configured with
+	// a NamespaceSelector, admin users will have to create the appropriate
+	// RoleBindings to allow access to the desired namespaces.
+	NoClusterRoleBindings ClusterRoleBindingPolicy = "NoClusterRoleBindings"
+)
+
 // MonitoringStackSpec is the specification for desired Monitoring Stack
 type MonitoringStackSpec struct {
 	// +optional
@@ -71,6 +88,21 @@ type MonitoringStackSpec struct {
 	// +optional
 	NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"`
 
+	// CreateClusterRoleBindings for a Monitoring Stack Resource
+	// If a NamespaceSelector is given, the controller can create a
+	// ClusterRoleBinding for the Prometheus and Alertmanager
+	// ServiceAccounts. This allows the
+	// ServiceAccount access to all namespaces, allowing the
+	// ServiceDiscovery to work across namespaces out of the
+	// box. However by impersonating this ServiceAccount a user could elevate
+	// their access in unintended ways.
+	// To avoid this set CreateClusterRoleBindings to NoClusterRoleBindings. Note
+	// that admins must create the needed namespaced RoleBindings manually
+	// so that endpoint discovery works as expected.
+	// +kubebuilder:default="CreateClusterRoleBindings"
+	// +optional
+	CreateClusterRoleBindings ClusterRoleBindingPolicy `json:"createClusterRoleBindings,omitempty"`
+
 	// Time duration to retain data for. Default is '120h',
 	// and must match the regular expression `[0-9]+(ms|s|m|h|d|w|y)` (milliseconds seconds minutes hours days weeks years).
 	// +kubebuilder:default="120h"

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.