github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 08:07:24 +00:00
Code Issues Projects Releases Wiki Activity

Honor the principle of least privilege for AWS deployment

Browse Source 
Configure needed permisssions instead of using one too permissive.
This commit is contained in:
Néstor Salceda 2018-11-09 17:44:04 +01:00
parent e321d7c8de
commit 4696519deb
5 changed files with 48 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
integrations/kubernetes-response-engine/deployment/aws/.gitignore vendored
View File

@ -1,4 +1,4 @@
.terraform/*
.terraform.*
terraform.*
*.yaml
aws-auth-patch.yml

12
integrations/kubernetes-response-engine/deployment/aws/Makefile
View File

@ -1,11 +1,17 @@
all: create configure
all: rbac create configure
rbac:
kubectl apply -f ../cluster-role.yaml
kubectl apply -f cluster-role-binding.yaml
create:
terraform apply
terraform apply -auto-approve
configure:
kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$(shell terraform output patch_for_aws_auth)\";next}1" > aws-auth-patch.yml
kubectl -n kube-system replace -f aws-auth-patch.yml
clean:
terraform destroy
terraform destroy -force
kubectl delete -f cluster-role-binding.yaml
kubectl delete -f ../cluster-role.yaml

12
integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-response-engine-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-response-engine-cluster-role
subjects:
- kind: User
apiGroup: rbac.authorization.k8s.io
name: kubernetes-response-engine

2
integrations/kubernetes-response-engine/deployment/aws/outputs.tf
View File

@ -1,7 +1,7 @@
locals {
patch_for_aws_auth = <<CONFIGMAPAWSAUTH
- rolearn: ${aws_iam_role.iam-for-lambda.arn}\n
username: kubernetes-admin\n
username: kubernetes-response-engine\n
groups:\n
- system:masters
CONFIGMAPAWSAUTH

25
integrations/kubernetes-response-engine/deployment/cluster-role.yaml Normal file
View File

@ -0,0 +1,25 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-response-engine-cluster-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- list
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- patch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create