Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[helm] add rbac.proxier config #1451

Merged
merged 5 commits into from
Feb 14, 2024
Merged

[helm] add rbac.proxier config #1451

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
128b7ca
[helm] add rbac.proxier config
alice-sawatzky Jan 29, 2024
8e0df6a
[helm/readme] add notes about security implications of rbac.proxier
alice-sawatzky Jan 29, 2024
bbb2c38
[helm/role-binding] fix spacing
alice-sawatzky Jan 29, 2024
7aa9552
[helm/rbac] rename "proxier" key to "serviceProxier"
alice-sawatzky Feb 6, 2024
c99b647
[helm/rbac.serviceProxier.subjects] switch type to templated string
alice-sawatzky Feb 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
6 changes: 6 additions & 0 deletions helm/sealed-secrets/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ The command removes all the Kubernetes components associated with the chart and
| `extraDeploy` | Array of extra objects to deploy with the release | `[]` |
| `commonAnnotations` | Annotations to add to all deployed resources | `{}` |
| `commonLabels` | Labels to add to all deployed resources | `{}` |
| `rbac.serviceProxier` | Configure who is able to access the SealedSecrets service. This may have security implications so the options should be reviewed carefully. | See [Other Parameters](#other-parameters) |

### Sealed Secrets Parameters

Expand Down Expand Up @@ -188,6 +189,11 @@ The command removes all the Kubernetes components associated with the chart and
| `rbac.namespacedRolesName` | Specifies the name for the namesapced Role resource | `secrets-unsealer` |
| `rbac.labels` | Extra labels to be added to RBAC resources | `{}` |
| `rbac.pspEnabled` | PodSecurityPolicy | `false` |
| `rbac.serviceProxier.create` | Specifies whether to create the "service proxier" role, to allow access to the SealedSecret API | `true` |
| `rbac.serviceProxier.bind` | Specifies whether to create a RoleBinding for the "service proxier" role | `true` |
| `rbac.serviceProxier.subjects` | Specifies the Subjects to grant the "service proxier" role to, in the created RoleBinding. Using this chart's default value that grants access to the `system:authenticated` group is [discouraged in GKE][gkebp] | `"[{"apiGroup": "rbac.authorization.k8s.io", "kind": "Group", "name": "system:authenticated"}]"` |

[gkebp]: https://cloud.google.com/kubernetes-engine/docs/best-practices/rbac#default-roles-groups

### Metrics parameters

Expand Down
10 changes: 5 additions & 5 deletions helm/sealed-secrets/templates/role-binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ subjects:
name: {{ include "sealed-secrets.serviceAccountName" . }}
namespace: {{ include "sealed-secrets.namespace" . }}
---
{{ end }}
{{ if and (and .Values.rbac.create .Values.rbac.serviceProxier.create) .Values.rbac.serviceProxier.bind }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
Expand All @@ -38,11 +40,9 @@ roleRef:
kind: Role
name: {{ printf "%s-service-proxier" (include "sealed-secrets.fullname" .) }}
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
{{ end }}
{{- include "sealed-secrets.render" (dict "value" .Values.rbac.serviceProxier.subjects "context" $) | nindent 2 }}
---
{{ end }}
{{ if and (and .Values.rbac.create .Values.rbac.namespacedRoles) (not $.Values.rbac.clusterRole) }}
{{- range $additionalNamespace := $.Values.additionalNamespaces }}
apiVersion: rbac.authorization.k8s.io/v1
Expand All @@ -65,4 +65,4 @@ subjects:
namespace: {{ include "sealed-secrets.namespace" $ }}
---
{{ end }}
{{ end }}
{{ end }}
4 changes: 3 additions & 1 deletion helm/sealed-secrets/templates/role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ rules:
- create
- list
---
{{- end }}
{{- if and .Values.rbac.create .Values.rbac.serviceProxier.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
Expand Down Expand Up @@ -60,8 +62,8 @@ rules:
verbs:
- create
- get
{{ end }}
---
{{- end }}
{{ if and (and .Values.rbac.create .Values.rbac.namespacedRoles) (not $.Values.rbac.clusterRole) }}
{{- range $additionalNamespace := $.Values.additionalNamespaces }}
apiVersion: rbac.authorization.k8s.io/v1
Expand Down
16 changes: 16 additions & 0 deletions helm/sealed-secrets/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -404,6 +404,22 @@ rbac:
## @param rbac.pspEnabled PodSecurityPolicy
##
pspEnabled: false
## "Proxier" RBAC Role configuration
##
serviceProxier:
## @param create Specifies whether to create the "proxier" role, to allow external users to access the SealedSecret API
##
create: true
## @param bind Specifies whether to create a RoleBinding for the "proxier" role
##
bind: true
alemorcuq marked this conversation as resolved.
Show resolved Hide resolved
## @param subjects Specifies the RBAC subjects to grant the "proxier" role to, in the created RoleBinding
## It is best to change this to something narrower, as the default binding gives `system:authenticated` access, which is very broad
##
subjects: |
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated

## @section Metrics parameters

Expand Down