[helm] add rbac.proxier config (#1451)

**Description of the change** Add options to the Helm chart to configure the `proxier` Role, and its RoleBinding. **Benefits** This allows the user to override the default RoleBinding that grants `system:authenticated` the `proxier` role. `system:authenticated` is not a very safe option in a lot of clusters, so it's important to expose this option. **Possible drawbacks** This was written to preserve existing behavior by default, so as to not break compatibility. This isn't ideal as the existing behavior is insecure on GKE (and possibly other contexts as well), but since it doesn't directly expose anything damaging (but rather is a defense-in-depth measure), it's probably OK to just highlight the importance of changing this in the documentation. **Applicable issues** - partially addresses #1448 Signed-off-by: Alice Sawatzky <alice.sawatzky@farmersedge.ca>
bitnami-labs · Feb 14, 2024 · 883c672 · 883c672
1 parent fa6f7e7
commit 883c672
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 6 deletions.
diff --git a/helm/sealed-secrets/README.md b/helm/sealed-secrets/README.md
@@ -79,6 +79,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `extraDeploy`       | Array of extra objects to deploy with the release       | `[]`  |
 | `commonAnnotations` | Annotations to add to all deployed resources            | `{}`  |
 | `commonLabels`      | Labels to add to all deployed resources                 | `{}`  |
+| `rbac.serviceProxier`      | Configure who is able to access the SealedSecrets service. This may have security implications so the options should be reviewed carefully. | See [Other Parameters](#other-parameters) |
 
 ### Sealed Secrets Parameters
 
@@ -188,6 +189,11 @@ The command removes all the Kubernetes components associated with the chart and
 | `rbac.namespacedRolesName`   | Specifies the name for the namesapced Role resource                                                      | `secrets-unsealer` |
 | `rbac.labels`                | Extra labels to be added to RBAC resources                                                               | `{}`               |
 | `rbac.pspEnabled`            | PodSecurityPolicy                                                                                        | `false`            |
+| `rbac.serviceProxier.create` | Specifies whether to create the "service proxier" role, to allow access to the SealedSecret API          | `true`             |
+| `rbac.serviceProxier.bind`   | Specifies whether to create a RoleBinding for the "service proxier" role                                 | `true`             |
+| `rbac.serviceProxier.subjects` | Specifies the Subjects to grant the "service proxier" role to, in the created RoleBinding. Using this chart's default value that grants access to the `system:authenticated` group is [discouraged in GKE][gkebp] | `"[{"apiGroup": "rbac.authorization.k8s.io", "kind": "Group", "name": "system:authenticated"}]"` |
+
+[gkebp]: https://cloud.google.com/kubernetes-engine/docs/best-practices/rbac#default-roles-groups
 
 ### Metrics parameters
 

diff --git a/helm/sealed-secrets/templates/role-binding.yaml b/helm/sealed-secrets/templates/role-binding.yaml
@@ -21,6 +21,8 @@ subjects:
     name: {{ include "sealed-secrets.serviceAccountName" . }}
     namespace: {{ include "sealed-secrets.namespace" . }}
 ---
+{{ end }}
+{{ if and (and .Values.rbac.create .Values.rbac.serviceProxier.create) .Values.rbac.serviceProxier.bind }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -38,11 +40,9 @@ roleRef:
   kind: Role
   name: {{ printf "%s-service-proxier" (include "sealed-secrets.fullname" .) }}
 subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: Group
-  name: system:authenticated
-{{ end }}
+  {{- include "sealed-secrets.render" (dict "value" .Values.rbac.serviceProxier.subjects "context" $) | nindent 2 }}
 ---
+{{ end }}
 {{ if and (and .Values.rbac.create .Values.rbac.namespacedRoles) (not $.Values.rbac.clusterRole) }}
   {{- range $additionalNamespace := $.Values.additionalNamespaces }}
 apiVersion: rbac.authorization.k8s.io/v1
@@ -65,4 +65,4 @@ subjects:
     namespace: {{ include "sealed-secrets.namespace" $ }}
 ---
   {{ end }}
-{{ end }}
+{{ end }}
diff --git a/helm/sealed-secrets/templates/role.yaml b/helm/sealed-secrets/templates/role.yaml
@@ -28,6 +28,8 @@ rules:
       - create
       - list
 ---
+{{- end }}
+{{- if and .Values.rbac.create .Values.rbac.serviceProxier.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -60,8 +62,8 @@ rules:
     verbs:
       - create
       - get
-{{ end }}
 ---
+{{- end }}
 {{ if and (and .Values.rbac.create .Values.rbac.namespacedRoles) (not $.Values.rbac.clusterRole) }}
   {{- range $additionalNamespace := $.Values.additionalNamespaces }}
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/helm/sealed-secrets/values.yaml b/helm/sealed-secrets/values.yaml
@@ -405,6 +405,22 @@ rbac:
   ## @param rbac.pspEnabled PodSecurityPolicy
   ##
   pspEnabled: false
+  ## "Proxier" RBAC Role configuration
+  ##
+  serviceProxier:
+    ## @param create Specifies whether to create the "proxier" role, to allow external users to access the SealedSecret API
+    ##
+    create: true
+    ## @param bind Specifies whether to create a RoleBinding for the "proxier" role
+    ##
+    bind: true
+    ## @param subjects Specifies the RBAC subjects to grant the "proxier" role to, in the created RoleBinding
+    ## It is best to change this to something narrower, as the default binding gives `system:authenticated` access, which is very broad
+    ##
+    subjects: |
+      - apiGroup: rbac.authorization.k8s.io
+        kind: Group
+        name: system:authenticated
 
 ## @section Metrics parameters