Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Least privilege for Kubernetes outposts (on OpenShift) #305

Open
jennydaman opened this issue Dec 6, 2024 · 1 comment
Open

Least privilege for Kubernetes outposts (on OpenShift) #305

jennydaman opened this issue Dec 6, 2024 · 1 comment

Comments

@jennydaman
Copy link

I got the Kubernetes outposts integration working on OpenShift. Setting serviceAccount.create=true doesn't work:

*** is attempting to grant RBAC permissions not currently held:
  {APIGroups:["apiextensions.k8s.io"], Resources:["customresourcedefinitions"], Verbs:["list"]}
  {APIGroups:["traefik.containo.us"], Resources:["middlewares"], Verbs:["get" "create" "delete" "list" "patch"]}
  {APIGroups:["traefik.io"], Resources:["middlewares"], Verbs:["get" "create" "delete" "list" "patch"]}

Those permissions don't seem necessary, so I manually created the ServiceAccount+Role+RoleBinding. See FNNDSC/NERC@ab7eb25#diff-d436a15e1ce6b1359f8b2ac7b0dd7b61f1a96b28a6d0de3a70c75a3fbc73f817

Things seem to be working. Would it be possible to review the rules here?

helm/charts/authentik-remote-cluster/templates/role.yaml

Lines 12 to 53 in 4fd7ffa

rules:
- apiGroups:
- ""
resources:
- secrets
- services
- configmaps
verbs:
{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
- apiGroups:
- extensions
- apps
resources:
- deployments
verbs:
{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
- apiGroups:
- traefik.containo.us
- traefik.io
resources:
- middlewares
verbs:
{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list

It would be great if unnecessary rules can be removed, and optional roles made optional via values.
@jennydaman jennydaman mentioned this issue Dec 6, 2024
Open
5 tasks
jennydaman added a commit to FNNDSC/NERC that referenced this issue Dec 6, 2024
@jennydaman
Add link to goauthentik/helm#305 in comments
79a42ea
@BeryJu
Copy link
Member

BeryJu commented Dec 6, 2024

Those permissions are not used by the outpost container itself (that container actually does not talk to K8s at all), however they are used by the Kubernetes integration in authentik (listing CRDs to check if traefik or prometheus operator are installed, and the respective permissions to manage those objects related to authentik)

jennydaman added a commit to FNNDSC/NERC that referenced this issue Dec 9, 2024
@jennydaman
Change authentik role workaround to use jsonPatch instead of addition…
ecef656 
…alObjects

goauthentik/helm#305
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BeryJu @jennydaman