Merge pull request #465 from nestorsalceda/falco-aws-permissions-fix

Fix AWS permissions for Kubernetes Response Engine
2025-09-07 01:30:13 +00:00 · 2018-11-20 10:11:00 +01:00
parent d1329af3bd 1308d7fc35
commit 21f16f0cb0
11 changed files with 83 additions and 14 deletions
--- a/integrations/kubernetes-response-engine/deployment/aws/.gitignore
+++ b/integrations/kubernetes-response-engine/deployment/aws/.gitignore
@@ -1,4 +1,4 @@
 .terraform/*
 .terraform.*
 terraform.*
-*.yaml
+aws-auth-patch.yml
--- a/integrations/kubernetes-response-engine/deployment/aws/Makefile
+++ b/integrations/kubernetes-response-engine/deployment/aws/Makefile
@@ -1,11 +1,17 @@
-all: create configure
+deploy: rbac create configure
+
+rbac:
+	kubectl apply -f cluster-role.yaml
+	kubectl apply -f cluster-role-binding.yaml

 create:
-	terraform apply
+	terraform apply -auto-approve

 configure:
 	kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$(shell terraform output patch_for_aws_auth)\";next}1" > aws-auth-patch.yml
 	kubectl -n kube-system replace -f aws-auth-patch.yml

 clean:
-	terraform destroy
+	terraform destroy -force
+	kubectl delete -f cluster-role-binding.yaml
+	kubectl delete -f cluster-role.yaml
--- a/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml
+++ b/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-response-engine-cluster-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubernetes-response-engine-cluster-role
+subjects:
+- kind: User
+  apiGroup: rbac.authorization.k8s.io
+  name: kubernetes-response-engine
--- a/integrations/kubernetes-response-engine/deployment/aws/cluster-role.yaml
+++ b/integrations/kubernetes-response-engine/deployment/aws/cluster-role.yaml
@@ -0,0 +1,25 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubernetes-response-engine-cluster-role
+rules:
+  - apiGroups:
+    - ""
+    resources:
+      - pods
+    verbs:
+      - delete
+      - list
+      - patch
+  - apiGroups:
+    - ""
+    resources:
+      - nodes
+    verbs:
+      - patch
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - create
--- a/integrations/kubernetes-response-engine/deployment/aws/lambda.tf
+++ b/integrations/kubernetes-response-engine/deployment/aws/lambda.tf
@@ -1,3 +1,7 @@
+resource "aws_iam_user" "kubernetes-response-engine-user" {
+  name = "kubernetes_response_engine"
+}
+
 resource "aws_iam_role" "iam-for-lambda" {
  name = "iam_for_lambda"

@@ -9,7 +13,7 @@ resource "aws_iam_role" "iam-for-lambda" {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com",
-        "AWS": "${var.iam-user-arn}"
+        "AWS": "${aws_iam_user.kubernetes-response-engine-user.arn}"
      },
      "Effect": "Allow",
      "Sid": ""
--- a/integrations/kubernetes-response-engine/deployment/aws/outputs.tf
+++ b/integrations/kubernetes-response-engine/deployment/aws/outputs.tf
@@ -1,7 +1,7 @@
 locals {
  patch_for_aws_auth = <<CONFIGMAPAWSAUTH
    - rolearn: ${aws_iam_role.iam-for-lambda.arn}\n
-     username: kubernetes-admin\n
+     username: kubernetes-response-engine\n
     groups:\n
       - system:masters
 CONFIGMAPAWSAUTH
--- a/integrations/kubernetes-response-engine/deployment/aws/variables.tf
+++ b/integrations/kubernetes-response-engine/deployment/aws/variables.tf
@@ -1,3 +0,0 @@
-variable "iam-user-arn" {
-  type    = "string"
-}
--- a/integrations/kubernetes-response-engine/deployment/cncf/Makefile
+++ b/integrations/kubernetes-response-engine/deployment/cncf/Makefile
@@ -1,7 +1,6 @@
 deploy:
 	kubectl apply -f nats/
 	kubectl apply -f kubeless/
-	kubectl apply -f network-policy.yaml
 	kubectl apply -f .

 clean:
--- a/integrations/kubernetes-response-engine/deployment/cncf/cluster-role-binding.yaml
+++ b/integrations/kubernetes-response-engine/deployment/cncf/cluster-role-binding.yaml
@@ -1,12 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: sysdig-kubeless
+  name: kubernetes-response-engine-cluster-role-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: cluster-admin
+  name: kubernetes-response-engine-cluster-role
 subjects:
 - kind: ServiceAccount
  name: default
  namespace: default
+  apiGroup: rbac.authorization.k8s.io
--- a/integrations/kubernetes-response-engine/deployment/cncf/cluster-role.yaml
+++ b/integrations/kubernetes-response-engine/deployment/cncf/cluster-role.yaml
@@ -0,0 +1,25 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: kubernetes-response-engine-cluster-role
+rules:
+  - apiGroups:
+    - ""
+    resources:
+      - pods
+    verbs:
+      - delete
+      - list
+      - patch
+  - apiGroups:
+    - ""
+    resources:
+      - nodes
+    verbs:
+      - patch
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+    verbs:
+      - create
--- a/integrations/kubernetes-response-engine/playbooks/deploy_playbook_aws
+++ b/integrations/kubernetes-response-engine/playbooks/deploy_playbook_aws
@@ -16,7 +16,7 @@ You must pass the playbook and at least one topic to subscribe.

 Example:

-deploy_playbook -p slack -t "falco.error.*" -e SLACK_WEBHOOK_URL=http://foobar.com/... -k sysdig_eks
+deploy_playbook -p slack -e SLACK_WEBHOOK_URL=http://foobar.com/... -k sysdig_eks
 EOF
  exit 1
 }
@@ -27,7 +27,7 @@ playbook=""
 environment=("KUBECONFIG=kubeconfig" "KUBERNETES_LOAD_KUBE_CONFIG=1")
 eks_cluster="${EKS_CLUSTER}"

-while getopts "r:e:t:" arg; do
+while getopts "p:e:k:" arg; do
  case $arg in
    p)
      playbook="${OPTARG}"