From cb5b699383afab126a3db82f1b9fc5d3a2a32aef Mon Sep 17 00:00:00 2001 From: Nic Cope Date: Mon, 5 Oct 2020 23:52:22 -0700 Subject: [PATCH] Run with fewer privileges This commit updates the Helm chart to avoid running as cluster-admin. Instead, the controller runs only with the privileges it needs 'out of the box'; i.e. to manage all core OAM types, as well as deployments and services. The commit also includes a few small chart hygiene fixes; i.e. ensuring that names will not collide when multiple releases exist in the same cluster, and that all resources include the standard labels. Signed-off-by: Nic Cope --- .../templates/oam-controller.yaml | 57 ++++++++++++++++--- 1 file changed, 49 insertions(+), 8 deletions(-) diff --git a/charts/oam-kubernetes-runtime/templates/oam-controller.yaml b/charts/oam-kubernetes-runtime/templates/oam-controller.yaml index 02ac7751..72bb3b6c 100644 --- a/charts/oam-kubernetes-runtime/templates/oam-controller.yaml +++ b/charts/oam-kubernetes-runtime/templates/oam-controller.yaml @@ -4,19 +4,58 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "oam-kubernetes-runtime.serviceAccountName" . }} - labels: - {{ include "oam-kubernetes-runtime.labels" . | nindent 4 }} - {{- end }} + labels: {{ include "oam-kubernetes-runtime.labels" . | nindent 4 }} +{{- end }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "oam-kubernetes-runtime.fullname" . }} + labels: {{ include "oam-kubernetes-runtime.labels" . | nindent 4 }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.oam.dev/aggregate-to-controller: "true" + --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "oam-kubernetes-runtime.fullname" . }}:system:aggregate-to-controller + labels: {{ include "oam-kubernetes-runtime.labels" . | nindent 4 }} + labels: + rbac.oam.dev/aggregate-to-controller: "true" +rules: +- apiGroups: + - core.oam.dev + resources: + - "*" + verbs: + - "*" +- apiGroups: + - apps + resources: + - deployment + verbs: + - "*" +- apiGroups: + - "" + resources: + - service + verbs: + - "*" +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: manager-rolebinding + name: {{ include "oam-kubernetes-runtime.fullname" . }} + labels: {{ include "oam-kubernetes-runtime.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: "cluster-admin" + name: {{ include "oam-kubernetes-runtime.fullname" . }} subjects: - kind: ServiceAccount name: {{ include "oam-kubernetes-runtime.serviceAccountName" . }} @@ -27,7 +66,8 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: leader-election-role + name: {{ include "oam-kubernetes-runtime.fullname" . }}-leader-election + labels: {{ include "oam-kubernetes-runtime.labels" . | nindent 4 }} rules: - apiGroups: - "" @@ -60,11 +100,12 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: leader-election-rolebinding + name: {{ include "oam-kubernetes-runtime.fullname" . }}-leader-election + labels: {{ include "oam-kubernetes-runtime.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: leader-election-role + name: {{ include "oam-kubernetes-runtime.fullname" . }}-leader-election subjects: - kind: ServiceAccount name: {{ include "oam-kubernetes-runtime.serviceAccountName" . }}