Skip to content

Commit

Permalink
ClusterReader Fine Grained Access Control
Browse files Browse the repository at this point in the history
ClusterReader RBAC Role should provide minimal permissions.
Also enable end-users to decide via Values whether to enable
verb list on k8s secrets.
  • Loading branch information
avo-sepp committed Mar 21, 2024
1 parent 18fdd31 commit 3dee657
Show file tree
Hide file tree
Showing 2 changed files with 36 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,41 @@ metadata:
labels:
{{- include "wiz-kubernetes-connector.labels" . | nindent 4 }}
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["endpoints", "namespaces", "persistentvolumeclaims", "persistentvolumes", "pods", "serviceaccounts", "services", "nodes"]
verbs: ["list"]
- apiGroups: ["apps"]
resources: ["controllerrevisions", "daemonsets", "deployments","replicasets", "statefulsets"]
verbs: ["list"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterrolebindings","clusterroles","rolebindings", "roles"]
verbs: ["list"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["list"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingressclasses", "ingresses", "networkpolicies"]
verbs: ["list"]
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
verbs: ["list"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["list"]
- apiGroups: ["networking.istio.io"]
resources: ["gateways","virtualservices"]
verbs: ["list"]
{{- if .Values.clusterReader.enableListSecret }}
- apiGroups: [""]
resources: ["secrets"]
verbs: ["list"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
Expand Down
1 change: 1 addition & 0 deletions wiz-kubernetes-connector/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ image:

clusterReader:
installRbac: true
enableListSecret: true
serviceAccount:
create: true
# Annotations to add to the service account
Expand Down

0 comments on commit 3dee657

Please sign in to comment.