From 973045ce8c6dd99a526a8631e6e25e3b0d6cbf93 Mon Sep 17 00:00:00 2001
From: Adnan Abdulhussein <adnan@prydoni.us>
Date: Wed, 2 May 2018 08:37:15 +0100
Subject: [PATCH] add preset RBAC roles and authorization documentation (#293)

* add preset RBAC roles and authorization documentation

- Adds a set of ClusterRoles and Roles to make it easier to bind to user accounts
- Adds a new docuemntation page for configuring Auth in Kubeapps

* small fixes in dashboard

* rename doc to access-control, link to doc from dashboard

* link to access-control doc from README

* updates the getting-started guide with auth setup

* fix screenshot title
---
 README.md                                     |   6 +-
 .../DeploymentForm/DeploymentForm.tsx         |   6 +
 .../ErrorAlert/PermissionsErrorAlert.tsx      |  10 +-
 .../src/components/LoginForm/LoginForm.tsx    |   8 +-
 .../src/components/ProvisionButton/index.tsx  |   6 +-
 docs/access-control.md                        | 177 +++++++++++++++
 docs/getting-started.md                       |  20 +-
 manifests/kubeapps.jsonnet                    |  10 +
 manifests/user-roles.jsonnet                  | 202 ++++++++++++++++++
 9 files changed, 438 insertions(+), 7 deletions(-)
 create mode 100644 docs/access-control.md
 create mode 100644 manifests/user-roles.jsonnet

diff --git a/README.md b/README.md
index 900f2a4aa37..3e85a40d017 100644
--- a/README.md
+++ b/README.md
@@ -26,9 +26,9 @@ kubeapps dashboard
 
 These commands will deploy Kubeapps in your cluster and launch a browser with the Kubeapps dashboard.
 
-![Dashboard main page](img/dashboard-login.png)
+![Dashboard login page](img/dashboard-login.png)
 
-Access to the dashboard requires authorization which is handled by Kubernetes API server. The dashboard only acts as a proxy and passes all auth information to it. In case of forbidden access corresponding warnings will be displayed in Dashboard.
+Access to the dashboard requires a Kubernetes API token to authenticate with the Kubernetes API server. Read the [Access Control](docs/access-control.md) documentation for more information on configuring users for Kubeapps.
 
 The following commands create a ServiceAccount and ClusterRoleBinding named `kubeapps-operator` which will enable the dashboard to authenticate and manage resources on the Kubernetes cluster:
 
@@ -43,6 +43,8 @@ Use the following command to reveal the authorization token that should be used
 kubectl get secret $(kubectl get serviceaccount kubeapps-operator -o jsonpath='{.secrets[].name}') -o jsonpath='{.data.token}' | base64 --decode
 ```
 
+**NOTE**: It's not recommended to create cluster-admin users for Kubeapps. Please refer to the [Access Control](docs/access-control.md) documentation to configure more fine-grained access.
+
 ![Dashboard main page](img/dashboard-home.png)
 
 To remove Kubeapps from your cluster, simply run:
diff --git a/dashboard/src/components/DeploymentForm/DeploymentForm.tsx b/dashboard/src/components/DeploymentForm/DeploymentForm.tsx
index 7778785cec9..9b790c02a79 100644
--- a/dashboard/src/components/DeploymentForm/DeploymentForm.tsx
+++ b/dashboard/src/components/DeploymentForm/DeploymentForm.tsx
@@ -22,6 +22,12 @@ const RequiredRBACRoles: IRBACRole[] = [
     resource: "helmreleases",
     verbs: ["create", "patch"],
   },
+  {
+    apiGroup: "kubeapps.com",
+    namespace: "kubeapps",
+    resource: "apprepositories",
+    verbs: ["get"],
+  },
 ];
 
 interface IDeploymentFormProps {
diff --git a/dashboard/src/components/ErrorAlert/PermissionsErrorAlert.tsx b/dashboard/src/components/ErrorAlert/PermissionsErrorAlert.tsx
index e8002848aea..0cdf4bb4621 100644
--- a/dashboard/src/components/ErrorAlert/PermissionsErrorAlert.tsx
+++ b/dashboard/src/components/ErrorAlert/PermissionsErrorAlert.tsx
@@ -25,7 +25,15 @@ class PermissionsErrorPage extends React.Component<IPermissionsErrorPage> {
           <ul className="error__permisions-list">
             {roles.map((r, i) => <PermissionsListItem key={i} namespace={namespace} role={r} />)}
           </ul>
-          <p>See the documentation for more info on access control in Kubeapps.</p>
+          <p>
+            See the documentation for more info on{" "}
+            <a
+              href="https://github.com/kubeapps/kubeapps/blob/master/docs/access-control.md"
+              target="_blank"
+            >
+              access control in Kubeapps
+            </a>.
+          </p>
         </div>
       </div>
     );
diff --git a/dashboard/src/components/LoginForm/LoginForm.tsx b/dashboard/src/components/LoginForm/LoginForm.tsx
index 6bc9935e52f..0360052e109 100644
--- a/dashboard/src/components/LoginForm/LoginForm.tsx
+++ b/dashboard/src/components/LoginForm/LoginForm.tsx
@@ -45,7 +45,13 @@ class LoginForm extends React.Component<ILoginFormProps, ILoginFormState> {
               </h2>
               <p>
                 Your cluster operator should provide you with a Kubernetes API token.{" "}
-                <a href="#">Click here</a> for more info on how to create and use Bearer Tokens.
+                <a
+                  href="https://github.com/kubeapps/kubeapps/blob/master/docs/access-control.md"
+                  target="_blank"
+                >
+                  Click here
+                </a>{" "}
+                for more info on how to create and use Bearer Tokens.
               </p>
               <div className="bg-skew__content">
                 <form onSubmit={this.handleSubmit}>
diff --git a/dashboard/src/components/ProvisionButton/index.tsx b/dashboard/src/components/ProvisionButton/index.tsx
index 8839d2f968d..bb63a0617b4 100644
--- a/dashboard/src/components/ProvisionButton/index.tsx
+++ b/dashboard/src/components/ProvisionButton/index.tsx
@@ -189,7 +189,11 @@ class ProvisionButton extends React.Component<IProvisionButtonProps, IProvisionB
         parametersObject,
       );
       if (provisioned) {
-        push(`/services/instances/ns/${namespace}/${releaseName}`);
+        push(
+          `/services/brokers/${
+            selectedClass.spec.clusterServiceBrokerName
+          }/instances/ns/${namespace}/${releaseName}`,
+        );
       } else {
         this.setState({ isProvisioning: false });
       }
diff --git a/docs/access-control.md b/docs/access-control.md
new file mode 100644
index 00000000000..c1fc36a3c45
--- /dev/null
+++ b/docs/access-control.md
@@ -0,0 +1,177 @@
+# Access Control in Kubeapps
+
+Kubeapps requires users to login with a Kubernetes API token in order to make
+requests to the Kubernetes API server as the user. This ensures that a certain
+user of Kubeapps is only permitted to view and manage applications that they
+have access to (for example, within a specific namespace). If a user does not
+have access to a particular resource, Kubeapps will display an error describing
+the required roles to access the resource.
+
+If your cluster supports [Token
+Authentication](https://kubernetes.io/docs/admin/authentication/) you may login
+with the same tokens. Alternatively, you can create Service Accounts for
+Kubeapps users. The examples below use a Service Account, as it is the most
+common scenario.
+
+## Service Accounts
+
+To create a Service Account for a user "example" in the "default" namespace, run
+the following:
+
+```
+kubectl create -n default serviceaccount example
+```
+
+To get the API token for this Service Account, run the following:
+
+```
+kubectl get -n default secret $(kubectl get -n default serviceaccount example -o jsonpath='{.secrets[].name}') -o jsonpath='{.data.token}' | base64 --decode
+```
+
+## Assigning Kubeapps User Roles
+
+Kubeapps will install a set of preset Roles and ClusterRoles in your cluster
+that you can bind to user or Service Accounts. Each Role and ClusterRole
+pertains to a certain operation within Kubeapps. This documentation describes
+the roles that should be applied to a user in order to perform operations within
+Kubeapps.
+
+### Applications
+
+#### Read access to Applications within a namespace
+
+In order to list and view Applications in a namespace, apply the
+`kubeapps-applications-read` ClusterRole in the desired namespace and the
+`kubeapps-tiller-state-read` Role in the `kubeapps` namespace:
+
+```
+kubectl create -n default rolebinding example-kubeapps-applications-read --clusterrole=kubeapps-applications-read --serviceaccount default:example
+kubectl create -n kubeapps rolebinding example-kubeapps-tiller-state-read --role=kubeapps-tiller-state-read --serviceaccount default:example
+```
+
+#### Write access to Applications within a namespace
+
+In order to create, update and delete Applications in a namespace, apply the
+`kubeapps-applications-write` ClusterRole in the desired namespace and the
+`kubeapps-repositories-read` Role in the `kubeapps` namespace:
+
+```
+kubectl create -n default rolebinding example-kubeapps-applications-write --clusterrole=kubeapps-applications-write --serviceaccount default:example
+kubectl create -n kubeapps rolebinding example-kubeapps-repositories-read --role=kubeapps-repositories-read --serviceaccount default:example
+```
+
+### Functions
+
+#### Read access to Functions within a namespace
+
+In order to list and view Functions in a namespace, apply the
+`kubeapps-functions-read` ClusterRole in the desired namespace and the
+`kubeapps-kubeless-config-read` Role in the `kubeless` namespace:
+
+```
+kubectl create -n default rolebinding example-kubeapps-functions-read --clusterrole=kubeapps-functions-read --serviceaccount default:example
+kubectl create -n kubeless rolebinding example-kubeapps-kubeless-config-read --role=kubeapps-kubeless-config-read --serviceaccount default:example
+```
+
+#### Write access to Functions within a namespace
+
+In order to create, update and delete Functions in a namespace, apply the
+`kubeapps-functions-write` ClusterRole in the desired namespace.
+
+```
+kubectl create -n default rolebinding example-kubeapps-functions-write --clusterrole=kubeapps-functions-write --serviceaccount default:example
+```
+
+### Service Catalog, Service Instances and Bindings
+
+#### Read access to Service Instances and Bindings within a namespaces
+
+Service Brokers, Classes and Plans in the Service Catalog are cluster-scoped
+resources, but Service Instances and Bindings can be restricted to a namespace.
+Kubeapps defines two roles (`kubeapps-service-catalog-browse` and
+`kubeapps-service-catalog-read`) to separate the roles required to view Service
+Instances and Bindings so that they can be applied to desired namespaces.
+
+In order to list and view Service Instances in a namespace, apply the
+`kubeapps-service-catalog-browse` ClusterRole in all namespaces and the
+`kubeapps-service-catalog-read` in the desired namespace.
+
+```
+kubectl create clusterrolebinding example-kubeapps-service-catalog-browse --clusterrole=kubeapps-service-catalog-browse --serviceaccount default:example
+kubectl create -n default rolebinding example-kubeapps-service-catalog-read --clusterrole=kubeapps-service-catalog-read --serviceaccount default:example
+```
+
+#### Write access to Service Instances and Bindings within a namespace
+
+In order to create and delete Service Instances and Bindings in a namespace,
+apply the `kubeapps-service-catalog-write` ClusterRole in the desired namespace.
+
+```
+kubectl create -n default rolebinding example-kubeapps-service-catalog-write --clusterrole=kubeapps-service-catalog-write --serviceaccount default:example
+```
+
+#### Admin access to configure Service Brokers
+
+In order to resync Service Brokers from the Service Brokers Configuration page,
+apply the `kubeapps-service-catalog-admin` ClusterRole in all namespaces.
+
+```
+kubectl create clusterrolebinding example-kubeapps-service-catalog-admin --clusterrole=kubeapps-service-catalog-admin --serviceaccount default:example
+```
+
+### App Repositories
+
+#### Read access to App Repositories
+
+In order to list the configured App Repositories in Kubeapps, apply the
+`kubeapps-repositories-read` Role in the kubeapps namespace.
+
+```
+kubectl create -n kubeapps rolebinding example-kubeapps-repositories-read --role=kubeapps-repositories-read --serviceaccount default:example
+```
+
+#### Write access to App Repositories
+
+In order to create and refresh App Repositories in Kubeapps, apply the
+`kubeapps-repositories-write` Role in the kubeapps namespace.
+
+```
+kubectl create -n kubeapps rolebinding example-kubeapps-repositories-write --role=kubeapps-repositories-write --serviceaccount default:example
+```
+
+### Assigning roles across multiple namespaces
+
+To give permissions in multiple namespaces, simply create the same RoleBindings
+in each namespace you want to configure access for. For example, to give the
+"example" user permissions to manage Applications in the "example" namespace:
+
+```
+kubectl create -n example rolebinding example-kubeapps-applications-write --clusterrole=kubeapps-applications-read --serviceaccount default:example
+kubectl create -n example rolebinding example-kubeapps-applications-write --clusterrole=kubeapps-applications-write --serviceaccount default:example
+```
+
+Note that there's no need to recreate the RoleBinding in the kubeapps namespace
+that is also needed, since that has already been created.
+
+If you want to give access for every namespace, simply create a
+ClusterRoleBinding instead of a RoleBinding. For example, to give the "example" user permissions to manage Applications in _any_ namespace:
+
+```
+kubectl create clusterrolebinding example-kubeapps-applications-write --clusterrole=kubeapps-applications-read --serviceaccount default:example
+kubectl create clusterrolebinding example-kubeapps-applications-write --clusterrole=kubeapps-applications-write --serviceaccount default:example
+```
+
+## RBAC rules required by Kubeapps
+
+An up-to-date list of RBAC rules Kubeapps requires can be found [here](/manifests/user-roles.jsonnet).
+
+## Using a cluster-admin user (not recommended)
+
+A simpler way to configure access for Kubeapps would be to give the user
+cluster-admin access (effectively disabling RBAC). This is not recommended, but
+useful for quick demonstrations or evaluations.
+
+```
+kubectl create serviceaccount kubeapps-operator
+kubectl create clusterrolebinding kubeapps-operator --clusterrole=cluster-admin --serviceaccount=default:kubeapps-operator
+```
diff --git a/docs/getting-started.md b/docs/getting-started.md
index fa4f2518b25..5adac1bb2e8 100644
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -43,7 +43,19 @@ To remove Kubeapps from your cluster, run this command:
 kubeapps down
 ```
 
-## Step 2: Start the Kubeapps Dashboard
+## Step 2: Create a Kubernetes API token
+
+Access to the dashboard requires a Kubernetes API token to authenticate with the Kubernetes API server.
+
+```
+kubectl create serviceaccount kubeapps-operator
+kubectl create clusterrolebinding kubeapps-operator --clusterrole=cluster-admin --serviceaccount=default:kubeapps-operator
+kubectl get secret $(kubectl get serviceaccount kubeapps-operator -o jsonpath='{.secrets[].name}') -o jsonpath='{.data.token}' | base64 --decode
+```
+
+NOTE: It's not recommended to create `cluster-admin` users for Kubeapps. Please refer to the [Access Control](docs/access-control.md) documentation to configure fine-grained access control for users.
+
+## Step 3: Start the Kubeapps Dashboard
 
 Once Kubeapps is installed, securely access the Kubeapps Dashboard from your system by running:
 
@@ -53,9 +65,13 @@ kubeapps dashboard
 
 This will start an HTTP proxy for secure access to the Kubeapps Dashboard and launch your default browser to access it. Here's what you should see:
 
+![Dashboard login page](../img/dashboard-login.png)
+
+Paste the token generated in the previous step to authenticate and access the Kubeapps dashboard for Kubernetes.
+
 ![Dashboard main page](../img/dashboard-home.png)
 
-## Step 3: Deploy WordPress
+## Step 4: Deploy WordPress
 
 Once you have the Kubeapps Dashboard up and running, you can start deploying applications into your cluster.
 
diff --git a/manifests/kubeapps.jsonnet b/manifests/kubeapps.jsonnet
index 1c5a7867aae..20070bb4c6d 100644
--- a/manifests/kubeapps.jsonnet
+++ b/manifests/kubeapps.jsonnet
@@ -58,4 +58,14 @@ local labelifyEach(src) = {
     namespace:: $.namespace,
   },
   mongodb: labelifyEach($.mongodb_),
+
+  userRoles_:: (import "user-roles.jsonnet") {
+    namespace:: $.namespace,
+  },
+  userRoles: $.userRoles_ {
+    applications: labelifyEach($.userRoles_.applications),
+    functions: labelifyEach($.userRoles_.functions),
+    serviceCatalog: labelifyEach($.userRoles_.serviceCatalog),
+    repositories: labelifyEach($.userRoles_.repositories),
+  },
 }
diff --git a/manifests/user-roles.jsonnet b/manifests/user-roles.jsonnet
new file mode 100644
index 00000000000..3fa1448f1cf
--- /dev/null
+++ b/manifests/user-roles.jsonnet
@@ -0,0 +1,202 @@
+local kube = import "kube.libsonnet";
+local kubecfg = import "kubecfg.libsonnet";
+
+{
+  namespace:: {metadata+: {namespace: "kubeapps"}},
+
+  applications: {
+    // kubeapps-applications-read
+    // Gives read-only access to Applications within a Namespace in Kubeapps.
+    // Usage:
+    //   Apply kubeapps-applications-read clusterrole to user/serviceaccount in the desired namespace
+    //   AND apply kubeapps-tiller-state-read role to user/serviceaccount in the kubeapps namespace.
+    read: kube.ClusterRole("kubeapps-applications-read") {
+      rules: [
+        {
+          apiGroups: ["helm.bitnami.com"],
+          resources: ["helmreleases"],
+          verbs: ["list", "get"],
+        },
+        {
+          apiGroups: ["", "apps"],
+          resources: ["services", "deployments"],
+          verbs: ["list", "watch"],
+        },
+      ],
+    },
+    readTillerState: kube.Role("kubeapps-tiller-state-read") + $.namespace {
+      rules: [
+        {
+          apiGroups: [""],
+          resources: ["configmaps"],
+          verbs: ["list", "get"],
+        },
+      ],
+    },
+    // kubeapps-applications-write
+    // Gives write access to Applications within a Namespace in Kubeapps.
+    // Usage:
+    //   Apply kubeapps-applications-write clusterrole to user/serviceaccount in the desired namespace.
+    //   AND apply kubeapps-repositories-read role to user/serviceaccount in the kubeapps namespace.
+    write: kube.ClusterRole("kubeapps-applications-write") {
+      rules: [
+        {
+          apiGroups: ["helm.bitnami.com"],
+          resources: ["helmreleases"],
+          verbs: ["create", "patch", "delete"],
+        },
+      ],
+    },
+  },
+
+  functions: {
+    // kubeapps-functions-read
+    // Gives read-only access to Functions within a Namespace in Kubeapps.
+    // Usage:
+    //   Apply kubeapps-functions-read clusterrole to user/serviceaccount in the desired namespace
+    //   AND apply kubeapps-kubeless-config-read to user/serviceaccount in the kubeless namespace.
+    read: kube.ClusterRole("kubeapps-functions-read") {
+      rules: [
+        {
+          apiGroups: ["kubeless.io"],
+          resources: ["functions"],
+          verbs: ["list", "get"],
+        },
+        {
+          apiGroups: ["", "apps"],
+          resources: ["pods", "deployments"],
+          verbs: ["list", "watch"],
+        },
+        {
+          apiGroups: [""],
+          resources: ["pods/log"],
+          verbs: ["get"],
+        },
+        // Allows Kubeapps to send GET/POST requests to function endpoints.
+        {
+          apiGroups: [""],
+          resources: ["services/proxy"],
+          verbs: ["get", "create"],
+        },
+      ],
+    },
+    readKubelessConfig: kube.Role("kubeapps-kubeless-config-read") {
+      metadata+: {
+        namespace: "kubeless",
+      },
+      rules: [
+        {
+          apiGroups: [""],
+          resources: ["configmaps"],
+          resourceNames: ["kubeless-config"],
+          verbs: ["get"],
+        },
+      ],
+    },
+    // kubeapps-functions-write
+    // Gives write access to Functions within a Namespace in Kubeapps.
+    // Usage:
+    //   Apply kubeapps-functions-write clusterrole to user/serviceaccount in the desired namespace.
+    write: kube.ClusterRole("kubeapps-functions-write") {
+      rules: [
+        {
+          apiGroups: ["kubeless.io"],
+          resources: ["functions"],
+          verbs: ["create", "update", "delete"],
+        },
+      ],
+    },
+  },
+
+  serviceCatalog: {
+    // kubeapps-service-catalog-read
+    // Gives read-only access to Service Instances and Bindings within a Namespace in Kubeapps.
+    // Usage:
+    //   Apply kubeapps-service-catalog-read clusterrole to user/serviceaccount in the desired namespace
+    //   AND apply kubeapps-service-catalog-browse to user/serviceaccount in all namespaces.
+    browse: kube.ClusterRole("kubeapps-service-catalog-browse") {
+      rules: [
+        {
+          apiGroups: ["servicecatalog.k8s.io"],
+          resources: ["clusterservicebrokers", "clusterserviceclasses", "clusterserviceplans"],
+          verbs: ["list"],
+        },
+      ],
+    },
+    read: kube.ClusterRole("kubeapps-service-catalog-read") {
+      rules: [
+        {
+          apiGroups: ["servicecatalog.k8s.io"],
+          resources: ["serviceinstances", "servicebindings"],
+          verbs: ["list", "get"],
+        },
+        // Allows viewing Service Binding credentials.
+        {
+          apiGroups: [""],
+          resources: ["secrets"],
+          verbs: ["get"],
+        },
+      ],
+    },
+    // kubeapps-service-catalog-write
+    // Gives write access to Service Instances and Bindings within a Namespace in Kubeapps.
+    // Usage:
+    //   Apply kubeapps-service-catalog-write clusterrole to user/serviceaccount in the desired namespace.
+    write: kube.ClusterRole("kubeapps-service-catalog-write") {
+      rules: [
+        {
+          apiGroups: ["servicecatalog.k8s.io"],
+          resources: ["serviceinstances", "servicebindings"],
+          verbs: ["create", "delete"],
+        },
+      ],
+    },
+    // kubeapps-service-catalog-admin
+    // Gives admin access for the Service Broker configuration page in Kubeapps.
+    // Usage:
+    //   Apply kubeapps-service-catalog-admin clusterrole to user/serviceaccount in all namespaces.
+    admin: kube.ClusterRole("kubeapps-service-catalog-admin") {
+      rules: [
+        {
+          apiGroups: ["servicecatalog.k8s.io"],
+          resources: ["clusterservicebrokers"],
+          verbs: ["patch"],
+        },
+      ],
+    },
+  },
+
+  repositories: {
+    // kubeapps-repositories-read
+    // Gives read-only access to App Repositories in Kubeapps.
+    // Usage:
+    //   Apply kubeapps-repositories-read role to user/serviceaccount in the kubeapps namespace.
+    read: kube.Role("kubeapps-repositories-read") + $.namespace {
+      rules: [
+        {
+          apiGroups: ["kubeapps.com"],
+          resources: ["apprepositories"],
+          verbs: ["list", "get"],
+        }
+      ],
+    },
+    // kubeapps-repositories-write
+    // Gives write access to App Repositories in Kubeapps.
+    // Usage:
+    //   Apply kubeapps-repositories-write role to user/serviceaccount in the kubeapps namespace.
+    write: kube.Role("kubeapps-repositories-write") + $.namespace {
+      rules: [
+        {
+          apiGroups: ["kubeapps.com"],
+          resources: ["apprepositories"],
+          verbs: ["get", "create", "update", "delete"],
+        },
+        {
+          apiGroups: [""],
+          resources: ["secrets"],
+          verbs: ["create"],
+        },
+      ],
+    },
+  },
+}