Skip to content

Commit

Permalink
Merge pull request #465 from nestorsalceda/falco-aws-permissions-fix
Browse files Browse the repository at this point in the history 
Fix AWS permissions for Kubernetes Response Engine
  • Loading branch information
@bencer
bencer committed Nov 20, 2018
2 parents d1329af + 1308d7f commit 21f16f0
Show file tree
Hide file tree
Showing 11 changed files with 83 additions and 14 deletions.
2 changes: 1 addition & 1 deletion integrations/kubernetes-response-engine/deployment/aws/.gitignore
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
.terraform/*
.terraform.*
terraform.*
*.yaml
aws-auth-patch.yml
12 changes: 9 additions & 3 deletions integrations/kubernetes-response-engine/deployment/aws/Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,17 @@
all: create configure
deploy: rbac create configure

rbac:
kubectl apply -f cluster-role.yaml
kubectl apply -f cluster-role-binding.yaml

create:
terraform apply
terraform apply -auto-approve

configure:
kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$(shell terraform output patch_for_aws_auth)\";next}1" > aws-auth-patch.yml
kubectl -n kube-system replace -f aws-auth-patch.yml

clean:
terraform destroy
terraform destroy -force
kubectl delete -f cluster-role-binding.yaml
kubectl delete -f cluster-role.yaml
12 changes: 12 additions & 0 deletions integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubernetes-response-engine-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-response-engine-cluster-role
subjects:
- kind: User
apiGroup: rbac.authorization.k8s.io
name: kubernetes-response-engine
25 changes: 25 additions & 0 deletions integrations/kubernetes-response-engine/deployment/aws/cluster-role.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-response-engine-cluster-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- list
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- patch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
6 changes: 5 additions & 1 deletion integrations/kubernetes-response-engine/deployment/aws/lambda.tf
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,7 @@
resource "aws_iam_user" "kubernetes-response-engine-user" {
name = "kubernetes_response_engine"
}

resource "aws_iam_role" "iam-for-lambda" {
name = "iam_for_lambda"

Expand All @@ -9,7 +13,7 @@ resource "aws_iam_role" "iam-for-lambda" {
"Action": "sts:AssumeRole",
"Principal": {
"Service": "lambda.amazonaws.com",
"AWS": "${var.iam-user-arn}"
"AWS": "${aws_iam_user.kubernetes-response-engine-user.arn}"
},
"Effect": "Allow",
"Sid": ""
Expand Down
2 changes: 1 addition & 1 deletion integrations/kubernetes-response-engine/deployment/aws/outputs.tf
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
locals {
patch_for_aws_auth = <<CONFIGMAPAWSAUTH
- rolearn: ${aws_iam_role.iam-for-lambda.arn}\n
username: kubernetes-admin\n
username: kubernetes-response-engine\n
groups:\n
- system:masters
CONFIGMAPAWSAUTH
Expand Down
3 changes: 0 additions & 3 deletions integrations/kubernetes-response-engine/deployment/aws/variables.tf
View file

This file was deleted.

1 change: 0 additions & 1 deletion integrations/kubernetes-response-engine/deployment/cncf/Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
deploy:
kubectl apply -f nats/
kubectl apply -f kubeless/
kubectl apply -f network-policy.yaml
kubectl apply -f .

clean:
Expand Down
5 changes: 3 additions & 2 deletions ...response-engine/deployment/cncf/rbac.yaml → ...deployment/cncf/cluster-role-binding.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: sysdig-kubeless
name: kubernetes-response-engine-cluster-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
name: kubernetes-response-engine-cluster-role
subjects:
- kind: ServiceAccount
name: default
namespace: default
apiGroup: rbac.authorization.k8s.io
25 changes: 25 additions & 0 deletions integrations/kubernetes-response-engine/deployment/cncf/cluster-role.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-response-engine-cluster-role
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- list
- patch
- apiGroups:
- ""
resources:
- nodes
verbs:
- patch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
4 changes: 2 additions & 2 deletions integrations/kubernetes-response-engine/playbooks/deploy_playbook_aws
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ You must pass the playbook and at least one topic to subscribe.
Example:
deploy_playbook -p slack -t "falco.error.*" -e SLACK_WEBHOOK_URL=http://foobar.com/... -k sysdig_eks
deploy_playbook -p slack -e SLACK_WEBHOOK_URL=http://foobar.com/... -k sysdig_eks
EOF
exit 1
}
Expand All @@ -27,7 +27,7 @@ playbook=""
environment=("KUBECONFIG=kubeconfig" "KUBERNETES_LOAD_KUBE_CONFIG=1")
eks_cluster="${EKS_CLUSTER}"

while getopts "r:e:t:" arg; do
while getopts "p:e:k:" arg; do
case $arg in
p)
playbook="${OPTARG}"
Expand Down

0 comments on commit 21f16f0

Please sign in to comment.