From 4696519debc59b5d1409df8da4002f10f08640ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Fri, 9 Nov 2018 17:44:04 +0100 Subject: [PATCH] Honor the principle of least privilege for AWS deployment Configure needed permisssions instead of using one too permissive. --- .../deployment/aws/.gitignore | 2 +- .../deployment/aws/Makefile | 12 ++++++--- .../deployment/aws/cluster-role-binding.yaml | 12 +++++++++ .../deployment/aws/outputs.tf | 2 +- .../deployment/cluster-role.yaml | 25 +++++++++++++++++++ 5 files changed, 48 insertions(+), 5 deletions(-) create mode 100644 integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml create mode 100644 integrations/kubernetes-response-engine/deployment/cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/aws/.gitignore b/integrations/kubernetes-response-engine/deployment/aws/.gitignore index e95d270e..5b70b6d3 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/.gitignore +++ b/integrations/kubernetes-response-engine/deployment/aws/.gitignore @@ -1,4 +1,4 @@ .terraform/* .terraform.* terraform.* -*.yaml +aws-auth-patch.yml diff --git a/integrations/kubernetes-response-engine/deployment/aws/Makefile b/integrations/kubernetes-response-engine/deployment/aws/Makefile index ff640c9c..1f512c97 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/Makefile +++ b/integrations/kubernetes-response-engine/deployment/aws/Makefile @@ -1,11 +1,17 @@ -all: create configure +all: rbac create configure + +rbac: + kubectl apply -f ../cluster-role.yaml + kubectl apply -f cluster-role-binding.yaml create: - terraform apply + terraform apply -auto-approve configure: kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$(shell terraform output patch_for_aws_auth)\";next}1" > aws-auth-patch.yml kubectl -n kube-system replace -f aws-auth-patch.yml clean: - terraform destroy + terraform destroy -force + kubectl delete -f cluster-role-binding.yaml + kubectl delete -f ../cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml b/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml new file mode 100644 index 00000000..5b264a23 --- /dev/null +++ b/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-response-engine-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-response-engine-cluster-role +subjects: +- kind: User + apiGroup: rbac.authorization.k8s.io + name: kubernetes-response-engine diff --git a/integrations/kubernetes-response-engine/deployment/aws/outputs.tf b/integrations/kubernetes-response-engine/deployment/aws/outputs.tf index c793c2d2..0cbc8b98 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/outputs.tf +++ b/integrations/kubernetes-response-engine/deployment/aws/outputs.tf @@ -1,7 +1,7 @@ locals { patch_for_aws_auth = <