Access control for berglas-secrets-webhook available?

[sonots]

I followed https://github.com/GoogleCloudPlatform/berglas/tree/master/examples/kubernetes to setup berglas for my k8s cluster, and it seems working fine.

Now, I am thinking about access control for berglas-secrets-webhook. In my understanding, cloudfunction is public. Do you have any plans to support access control or do you think there is no risk even if it is public or do you already have any access controls?

[sonots]

I've resolved by myself. It is yet beta feature, but I could remove public access referring this.
https://cloud.google.com/functions/docs/securing/managing-access

 gcloud beta functions remove-iam-policy-binding FUNCTION_NAME \
    --member="allUsers" \
    --role="roles/cloudfunctions.invoker"

[sonots]

I could remove public access, but I could not figure out which permission I should allow from GKE master node.

I am not attaching (although should attach) a service account to GKE cluster, so google compute engine default service account should be attached at GKE cluster, but

 gcloud beta functions add-iam-policy-binding FUNCTION_NAME \
    --member="google_compute_engine_default_service_account" \
    --role="roles/cloudfunctions.invoker"

did not work.

[sethvargo]

roles/cloudfunctions.invoker is the correct IAM permission, so I'm a little bit confused. Are you sure your GKE cluster is running with the default service account? The service account should be in the format:

12345678908-compute@developer.gserviceaccount.com

 gcloud beta functions add-iam-policy-binding FUNCTION_NAME \
    --member="12345678908-compute@developer.gserviceaccount.com" \
    --role="roles/cloudfunctions.invoker"

Where 12345678908 is the project number.

[sonots]

Yes, it is what I tried.

[sethvargo]

Hi @sonots

And you're sure your cluster is using the default compute service account and not a custom one? If so, I"m not entirely sure. I just tested this on a new cluster with the default service account and invoker permissions and it's working.

[sonots]

I am pretty sure I am using the default one.
Hmm, let me try again.

[sonots]

It looked berglas works well for deployments, but does not work well for daemonsets berglas does not work for both deployments and daemonsets when I changed iam polocy bindings.

+ gcloud beta functions remove-iam-policy-binding berglas-secrets-webhook --project xxxxxxxxxx --region asia-northeast1 --member=allUsers --role=roles/cloudfunctions.invoker
etag: BwWNxL23a8c=
version: 1
+ gcloud beta functions add-iam-policy-binding berglas-secrets-webhook --project xxxxxxxxxx --region asia-northeast1 --member=serviceAccount:xxxxxxxxxxx-compute@developer.gserviceaccount.com --role=roles/cloudfunctions.invoker
bindings:
- members:
  - serviceAccount:xxxxxxxxxxxxxxx-compute@developer.gserviceaccount.com
  role: roles/cloudfunctions.invoker
etag: BwWNxL3Pw9E=
version: 1

$ kubectl get pod
datadog-agent-x95jz          1/1     Running   2          119s    172.20.1.4    gke-image-search-dev-cluste-api-pool4-ef1eb5aa-rv9s   <none>           <none>
datadog-agent-x95jz          0/1     CrashLoopBackOff   5          4m33s   172.20.1.4    gke-image-search-dev-cluste-api-pool4-ef1eb5aa-rv9s   <none>           <none>

kubectl describe pod shows that InitContainer with copy-berglas-bin is not added.

$ kubectl describe pod datadog-agent-x95jz
[omit]
Controlled By:  DaemonSet/datadog-agent
Containers:
  datadog-agent:
    Container ID:  docker://fdbf2023cb10194b98fcea9fd856ba14604baa0de9ec481340145d020b76c580
    Image:         datadog/agent:latest
[omit]

It worked well before modifying permissions #37

$ kubectl describe pod datadog-agent-s9k6s
[omit]
Controlled By:  DaemonSet/datadog-agent
Init Containers:
  copy-berglas-bin:
    Container ID:  docker://a203b6a3e041df40e333de68ad8f3c578c00d2beadfd59ecc6229c48860648c6
    Image:         gcr.io/berglas/berglas:latest
    Image ID:      docker-pullable://gcr.io/berglas/berglas@sha256:07372fe0209b5f041eb1374c4f3e7db53fb294fbcf21cc032b9bc25ca50c5f8b
    Port:          <none>
    Host Port:     <none>
    Command:
      sh
      -c
      cp /bin/berglas /berglas/bin/
    State:          Terminated
      Reason:       Completed
      Exit Code:    0
      Started:      Mon, 15 Jul 2019 20:39:58 +0900
      Finished:     Mon, 15 Jul 2019 20:39:58 +0900
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /berglas/bin/ from berglas-bin (rw)
Containers:
  datadog-agent:
    Container ID:  docker://8aac780996413e862647f314d9d45bf19f070a9b04d0b06538ea0f5c748c32c3
    Image:         datadog/agent:latest
[omit]

[sonots]

If you know how to debug MutatingWebhookConfiguration, please let me know.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.