From e321d7c8debed84639997e70289209fe15283112 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Fri, 9 Nov 2018 17:28:16 +0100 Subject: [PATCH 1/6] Fix script documentation and parameters --- .../kubernetes-response-engine/playbooks/deploy_playbook_aws | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/integrations/kubernetes-response-engine/playbooks/deploy_playbook_aws b/integrations/kubernetes-response-engine/playbooks/deploy_playbook_aws index 3382d1db31c..7003fd90d28 100755 --- a/integrations/kubernetes-response-engine/playbooks/deploy_playbook_aws +++ b/integrations/kubernetes-response-engine/playbooks/deploy_playbook_aws @@ -16,7 +16,7 @@ You must pass the playbook and at least one topic to subscribe. Example: -deploy_playbook -p slack -t "falco.error.*" -e SLACK_WEBHOOK_URL=http://foobar.com/... -k sysdig_eks +deploy_playbook -p slack -e SLACK_WEBHOOK_URL=http://foobar.com/... -k sysdig_eks EOF exit 1 } @@ -27,7 +27,7 @@ playbook="" environment=("KUBECONFIG=kubeconfig" "KUBERNETES_LOAD_KUBE_CONFIG=1") eks_cluster="${EKS_CLUSTER}" -while getopts "r:e:t:" arg; do +while getopts "p:e:k:" arg; do case $arg in p) playbook="${OPTARG}" From 4696519debc59b5d1409df8da4002f10f08640ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Fri, 9 Nov 2018 17:44:04 +0100 Subject: [PATCH 2/6] Honor the principle of least privilege for AWS deployment Configure needed permisssions instead of using one too permissive. --- .../deployment/aws/.gitignore | 2 +- .../deployment/aws/Makefile | 12 ++++++--- .../deployment/aws/cluster-role-binding.yaml | 12 +++++++++ .../deployment/aws/outputs.tf | 2 +- .../deployment/cluster-role.yaml | 25 +++++++++++++++++++ 5 files changed, 48 insertions(+), 5 deletions(-) create mode 100644 integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml create mode 100644 integrations/kubernetes-response-engine/deployment/cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/aws/.gitignore b/integrations/kubernetes-response-engine/deployment/aws/.gitignore index e95d270e26b..5b70b6d365d 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/.gitignore +++ b/integrations/kubernetes-response-engine/deployment/aws/.gitignore @@ -1,4 +1,4 @@ .terraform/* .terraform.* terraform.* -*.yaml +aws-auth-patch.yml diff --git a/integrations/kubernetes-response-engine/deployment/aws/Makefile b/integrations/kubernetes-response-engine/deployment/aws/Makefile index ff640c9ccc8..1f512c97c81 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/Makefile +++ b/integrations/kubernetes-response-engine/deployment/aws/Makefile @@ -1,11 +1,17 @@ -all: create configure +all: rbac create configure + +rbac: + kubectl apply -f ../cluster-role.yaml + kubectl apply -f cluster-role-binding.yaml create: - terraform apply + terraform apply -auto-approve configure: kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$(shell terraform output patch_for_aws_auth)\";next}1" > aws-auth-patch.yml kubectl -n kube-system replace -f aws-auth-patch.yml clean: - terraform destroy + terraform destroy -force + kubectl delete -f cluster-role-binding.yaml + kubectl delete -f ../cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml b/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml new file mode 100644 index 00000000000..5b264a23ec2 --- /dev/null +++ b/integrations/kubernetes-response-engine/deployment/aws/cluster-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-response-engine-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-response-engine-cluster-role +subjects: +- kind: User + apiGroup: rbac.authorization.k8s.io + name: kubernetes-response-engine diff --git a/integrations/kubernetes-response-engine/deployment/aws/outputs.tf b/integrations/kubernetes-response-engine/deployment/aws/outputs.tf index c793c2d2e7b..0cbc8b98b40 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/outputs.tf +++ b/integrations/kubernetes-response-engine/deployment/aws/outputs.tf @@ -1,7 +1,7 @@ locals { patch_for_aws_auth = < Date: Fri, 9 Nov 2018 17:45:30 +0100 Subject: [PATCH 3/6] Honor the principle of least privilege for CNCF deployment Instead of giving a lot of permissions set only the needed ones --- .../kubernetes-response-engine/deployment/cncf/Makefile | 3 ++- .../deployment/cncf/{rbac.yaml => cluster-role-binding.yaml} | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) rename integrations/kubernetes-response-engine/deployment/cncf/{rbac.yaml => cluster-role-binding.yaml} (60%) diff --git a/integrations/kubernetes-response-engine/deployment/cncf/Makefile b/integrations/kubernetes-response-engine/deployment/cncf/Makefile index 33d9e8b658d..87c7a3e0594 100644 --- a/integrations/kubernetes-response-engine/deployment/cncf/Makefile +++ b/integrations/kubernetes-response-engine/deployment/cncf/Makefile @@ -1,10 +1,11 @@ deploy: kubectl apply -f nats/ kubectl apply -f kubeless/ - kubectl apply -f network-policy.yaml + kubectl apply -f ../cluster-role.yaml kubectl apply -f . clean: kubectl delete -f kubeless/ kubectl delete -f nats/ kubectl delete -f . + kubectl delete -f ../cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/cncf/rbac.yaml b/integrations/kubernetes-response-engine/deployment/cncf/cluster-role-binding.yaml similarity index 60% rename from integrations/kubernetes-response-engine/deployment/cncf/rbac.yaml rename to integrations/kubernetes-response-engine/deployment/cncf/cluster-role-binding.yaml index a97702c783f..fd5df52a5b2 100644 --- a/integrations/kubernetes-response-engine/deployment/cncf/rbac.yaml +++ b/integrations/kubernetes-response-engine/deployment/cncf/cluster-role-binding.yaml @@ -1,12 +1,13 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: - name: sysdig-kubeless + name: kubernetes-response-engine-cluster-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: kubernetes-response-engine-cluster-role subjects: - kind: ServiceAccount name: default namespace: default + apiGroup: rbac.authorization.k8s.io From e15ee1d28d9cc9dd73b31f1954d0722f19dbd39a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Fri, 9 Nov 2018 17:48:51 +0100 Subject: [PATCH 4/6] Use deploy as target instead of name Maintain consistency between deployments --- integrations/kubernetes-response-engine/deployment/aws/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integrations/kubernetes-response-engine/deployment/aws/Makefile b/integrations/kubernetes-response-engine/deployment/aws/Makefile index 1f512c97c81..2a317ac28e5 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/Makefile +++ b/integrations/kubernetes-response-engine/deployment/aws/Makefile @@ -1,4 +1,4 @@ -all: rbac create configure +deploy: rbac create configure rbac: kubectl apply -f ../cluster-role.yaml From c24fa324d2a16e40d8c1c43855e4cf8ec4e2cac8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Fri, 9 Nov 2018 19:23:54 +0100 Subject: [PATCH 5/6] Use a newly created system account instead of my personal one This restricts attack surface, and work better in term of automation. --- .../kubernetes-response-engine/deployment/aws/lambda.tf | 6 +++++- .../kubernetes-response-engine/deployment/aws/variables.tf | 3 --- 2 files changed, 5 insertions(+), 4 deletions(-) delete mode 100644 integrations/kubernetes-response-engine/deployment/aws/variables.tf diff --git a/integrations/kubernetes-response-engine/deployment/aws/lambda.tf b/integrations/kubernetes-response-engine/deployment/aws/lambda.tf index 375a2ef3eba..cc2f724cc3a 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/lambda.tf +++ b/integrations/kubernetes-response-engine/deployment/aws/lambda.tf @@ -1,3 +1,7 @@ +resource "aws_iam_user" "kubernetes-response-engine-user" { + name = "kubernetes_response_engine" +} + resource "aws_iam_role" "iam-for-lambda" { name = "iam_for_lambda" @@ -9,7 +13,7 @@ resource "aws_iam_role" "iam-for-lambda" { "Action": "sts:AssumeRole", "Principal": { "Service": "lambda.amazonaws.com", - "AWS": "${var.iam-user-arn}" + "AWS": "${aws_iam_user.kubernetes-response-engine-user.arn}" }, "Effect": "Allow", "Sid": "" diff --git a/integrations/kubernetes-response-engine/deployment/aws/variables.tf b/integrations/kubernetes-response-engine/deployment/aws/variables.tf deleted file mode 100644 index b9fb4052477..00000000000 --- a/integrations/kubernetes-response-engine/deployment/aws/variables.tf +++ /dev/null @@ -1,3 +0,0 @@ -variable "iam-user-arn" { - type = "string" -} From 1308d7fc35a36ae0062c57cef16340162b012c5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?N=C3=A9stor=20Salceda?= Date: Mon, 12 Nov 2018 17:34:21 +0100 Subject: [PATCH 6/6] Put RBAC configuration together Although it duplicates some code, we prefer duplicate some code and place this files together. --- .../deployment/aws/Makefile | 4 +-- .../deployment/{ => aws}/cluster-role.yaml | 0 .../deployment/cncf/Makefile | 2 -- .../deployment/cncf/cluster-role.yaml | 25 +++++++++++++++++++ 4 files changed, 27 insertions(+), 4 deletions(-) rename integrations/kubernetes-response-engine/deployment/{ => aws}/cluster-role.yaml (100%) create mode 100644 integrations/kubernetes-response-engine/deployment/cncf/cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/aws/Makefile b/integrations/kubernetes-response-engine/deployment/aws/Makefile index 2a317ac28e5..fc7c14a6f7e 100644 --- a/integrations/kubernetes-response-engine/deployment/aws/Makefile +++ b/integrations/kubernetes-response-engine/deployment/aws/Makefile @@ -1,7 +1,7 @@ deploy: rbac create configure rbac: - kubectl apply -f ../cluster-role.yaml + kubectl apply -f cluster-role.yaml kubectl apply -f cluster-role-binding.yaml create: @@ -14,4 +14,4 @@ configure: clean: terraform destroy -force kubectl delete -f cluster-role-binding.yaml - kubectl delete -f ../cluster-role.yaml + kubectl delete -f cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/cluster-role.yaml b/integrations/kubernetes-response-engine/deployment/aws/cluster-role.yaml similarity index 100% rename from integrations/kubernetes-response-engine/deployment/cluster-role.yaml rename to integrations/kubernetes-response-engine/deployment/aws/cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/cncf/Makefile b/integrations/kubernetes-response-engine/deployment/cncf/Makefile index 87c7a3e0594..4d72e65168a 100644 --- a/integrations/kubernetes-response-engine/deployment/cncf/Makefile +++ b/integrations/kubernetes-response-engine/deployment/cncf/Makefile @@ -1,11 +1,9 @@ deploy: kubectl apply -f nats/ kubectl apply -f kubeless/ - kubectl apply -f ../cluster-role.yaml kubectl apply -f . clean: kubectl delete -f kubeless/ kubectl delete -f nats/ kubectl delete -f . - kubectl delete -f ../cluster-role.yaml diff --git a/integrations/kubernetes-response-engine/deployment/cncf/cluster-role.yaml b/integrations/kubernetes-response-engine/deployment/cncf/cluster-role.yaml new file mode 100644 index 00000000000..4c76c26b995 --- /dev/null +++ b/integrations/kubernetes-response-engine/deployment/cncf/cluster-role.yaml @@ -0,0 +1,25 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kubernetes-response-engine-cluster-role +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - delete + - list + - patch + - apiGroups: + - "" + resources: + - nodes + verbs: + - patch + - apiGroups: + - batch + resources: + - jobs + verbs: + - create