Honor the principle of least privilege for AWS deployment

Configure needed permisssions instead of using one too permissive.
2025-06-29 16:17:32 +00:00 · 2018-11-09 17:44:04 +01:00 · 2018-11-09 17:44:04 +01:00 · 4696519deb
commit 4696519deb
parent e321d7c8de
5 changed files with 48 additions and 5 deletions
--- a/integrations/kubernetes-response-engine/deployment/aws/.gitignore
+++ b/integrations/kubernetes-response-engine/deployment/aws/.gitignore
@ -1,4 +1,4 @@
 .terraform/*
 .terraform.*
 terraform.*
-*.yaml
+aws-auth-patch.yml
--- a/integrations/kubernetes-response-engine/deployment/aws/Makefile
+++ b/integrations/kubernetes-response-engine/deployment/aws/Makefile
@ -1,11 +1,17 @@
-all: create configure
+all: rbac create configure
 rbac:
 	kubectl apply -f ../cluster-role.yaml
 	kubectl apply -f cluster-role-binding.yaml
 create:
-	terraform apply
+	terraform apply -auto-approve
 configure:
 	kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$(shell terraform output patch_for_aws_auth)\";next}1" > aws-auth-patch.yml
 	kubectl -n kube-system replace -f aws-auth-patch.yml
 clean:
-	terraform destroy
+	terraform destroy -force
 	kubectl delete -f cluster-role-binding.yaml
 	kubectl delete -f ../cluster-role.yaml
--- a/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml
+++ b/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml
@ -0,0 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: kubernetes-response-engine-cluster-role-binding
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-response-engine-cluster-role
 subjects:
 - kind: User
  apiGroup: rbac.authorization.k8s.io
  name: kubernetes-response-engine
--- a/integrations/kubernetes-response-engine/deployment/aws/outputs.tf
+++ b/integrations/kubernetes-response-engine/deployment/aws/outputs.tf
@ -1,7 +1,7 @@
 locals {
  patch_for_aws_auth = <<CONFIGMAPAWSAUTH
    - rolearn: ${aws_iam_role.iam-for-lambda.arn}\n
-     username: kubernetes-admin\n
+     username: kubernetes-response-engine\n
     groups:\n
       - system:masters
 CONFIGMAPAWSAUTH
--- a/integrations/kubernetes-response-engine/deployment/cluster-role.yaml
+++ b/integrations/kubernetes-response-engine/deployment/cluster-role.yaml
@ -0,0 +1,25 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: kubernetes-response-engine-cluster-role
 rules:
  - apiGroups:
    - ""
    resources:
      - pods
    verbs:
      - delete
      - list
      - patch
  - apiGroups:
    - ""
    resources:
      - nodes
    verbs:
      - patch
  - apiGroups:
      - batch
    resources:
      - jobs
    verbs:
      - create