Merge pull request #465 from nestorsalceda/falco-aws-permissions-fix

Fix AWS permissions for Kubernetes Response Engine
2025-09-08 18:19:30 +00:00 · 2018-11-20 10:11:00 +01:00
parent d1329af3bd 1308d7fc35
commit 21f16f0cb0
11 changed files with 83 additions and 14 deletions
--- a/integrations/kubernetes-response-engine/deployment/aws/.gitignore
+++ b/integrations/kubernetes-response-engine/deployment/aws/.gitignore
@@ -1,4 +1,4 @@
 .terraform/*
 .terraform.*
 terraform.*
-*.yaml
+aws-auth-patch.yml
--- a/integrations/kubernetes-response-engine/deployment/aws/Makefile
+++ b/integrations/kubernetes-response-engine/deployment/aws/Makefile
@@ -1,11 +1,17 @@
-all: create configure
+deploy: rbac create configure
 rbac:
 	kubectl apply -f cluster-role.yaml
 	kubectl apply -f cluster-role-binding.yaml
 create:
-	terraform apply
+	terraform apply -auto-approve
 configure:
 	kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$(shell terraform output patch_for_aws_auth)\";next}1" > aws-auth-patch.yml
 	kubectl -n kube-system replace -f aws-auth-patch.yml
 clean:
-	terraform destroy
+	terraform destroy -force
 	kubectl delete -f cluster-role-binding.yaml
 	kubectl delete -f cluster-role.yaml
--- a/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml
+++ b/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml
@@ -0,0 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: kubernetes-response-engine-cluster-role-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-response-engine-cluster-role
 subjects:
 - kind: User
  apiGroup: rbac.authorization.k8s.io
  name: kubernetes-response-engine
--- a/integrations/kubernetes-response-engine/deployment/aws/cluster-role.yaml
+++ b/integrations/kubernetes-response-engine/deployment/aws/cluster-role.yaml
@@ -0,0 +1,25 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: kubernetes-response-engine-cluster-role
 rules:
  - apiGroups:
    - ""
    resources:
      - pods
    verbs:
      - delete
      - list
      - patch
  - apiGroups:
    - ""
    resources:
      - nodes
    verbs:
      - patch
  - apiGroups:
      - batch
    resources:
      - jobs
    verbs:
      - create
--- a/integrations/kubernetes-response-engine/deployment/aws/lambda.tf
+++ b/integrations/kubernetes-response-engine/deployment/aws/lambda.tf
@@ -1,3 +1,7 @@
 resource "aws_iam_user" "kubernetes-response-engine-user" {
  name = "kubernetes_response_engine"
 }
 resource "aws_iam_role" "iam-for-lambda" {
  name = "iam_for_lambda"
@@ -9,7 +13,7 @@ resource "aws_iam_role" "iam-for-lambda" {
      "Action": "sts:AssumeRole",
      "Principal": {
        "Service": "lambda.amazonaws.com",
-        "AWS": "${var.iam-user-arn}"
+        "AWS": "${aws_iam_user.kubernetes-response-engine-user.arn}"
      },
      "Effect": "Allow",
      "Sid": ""
--- a/integrations/kubernetes-response-engine/deployment/aws/outputs.tf
+++ b/integrations/kubernetes-response-engine/deployment/aws/outputs.tf
@@ -1,7 +1,7 @@
 locals {
  patch_for_aws_auth = <<CONFIGMAPAWSAUTH
    - rolearn: ${aws_iam_role.iam-for-lambda.arn}\n
-     username: kubernetes-admin\n
+     username: kubernetes-response-engine\n
     groups:\n
       - system:masters
 CONFIGMAPAWSAUTH
--- a/integrations/kubernetes-response-engine/deployment/aws/variables.tf
+++ b/integrations/kubernetes-response-engine/deployment/aws/variables.tf
@@ -1,3 +0,0 @@
 variable "iam-user-arn" {
  type    = "string"
 }
--- a/integrations/kubernetes-response-engine/deployment/cncf/Makefile
+++ b/integrations/kubernetes-response-engine/deployment/cncf/Makefile
@@ -1,7 +1,6 @@
 deploy:
 	kubectl apply -f nats/
 	kubectl apply -f kubeless/
 	kubectl apply -f network-policy.yaml
 	kubectl apply -f .
 clean:
--- a/integrations/kubernetes-response-engine/deployment/cncf/cluster-role-binding.yaml
+++ b/integrations/kubernetes-response-engine/deployment/cncf/cluster-role-binding.yaml
@@ -1,12 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: sysdig-kubeless
+  name: kubernetes-response-engine-cluster-role-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: cluster-admin
+  name: kubernetes-response-engine-cluster-role
 subjects:
 - kind: ServiceAccount
  name: default
  namespace: default
  apiGroup: rbac.authorization.k8s.io
--- a/integrations/kubernetes-response-engine/deployment/cncf/cluster-role.yaml
+++ b/integrations/kubernetes-response-engine/deployment/cncf/cluster-role.yaml
@@ -0,0 +1,25 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: kubernetes-response-engine-cluster-role
 rules:
  - apiGroups:
    - ""
    resources:
      - pods
    verbs:
      - delete
      - list
      - patch
  - apiGroups:
    - ""
    resources:
      - nodes
    verbs:
      - patch
  - apiGroups:
      - batch
    resources:
      - jobs
    verbs:
      - create
--- a/integrations/kubernetes-response-engine/playbooks/deploy_playbook_aws
+++ b/integrations/kubernetes-response-engine/playbooks/deploy_playbook_aws
@@ -16,7 +16,7 @@ You must pass the playbook and at least one topic to subscribe.
 Example:
-deploy_playbook -p slack -t "falco.error.*" -e SLACK_WEBHOOK_URL=http://foobar.com/... -k sysdig_eks
+deploy_playbook -p slack -e SLACK_WEBHOOK_URL=http://foobar.com/... -k sysdig_eks
 EOF
  exit 1
 }
@@ -27,7 +27,7 @@ playbook=""
 environment=("KUBECONFIG=kubeconfig" "KUBERNETES_LOAD_KUBE_CONFIG=1")
 eks_cluster="${EKS_CLUSTER}"
-while getopts "r:e:t:" arg; do
+while getopts "p:e:k:" arg; do
  case $arg in
    p)
      playbook="${OPTARG}"