chore(docs): add guide for service accounts #2761
Conversation
michelleN
commented
Aug 3, 2017
michelleN
commented
- closes Helm 2.2.3 not working properly with kubeadm 1.6.1 default RBAC rules #2224
k8s-ci-robot
added
the
cncf-cla: yes
michelleN
force-pushed
the
service-account-docs
branch
from
c76b6e8
to
b73dcc5
Compare
michelleN
force-pushed
the
service-account-docs
branch
2 times, most recently
from
0c8f151
to
e91657b
Compare
|
Thanks @jascott1! |
docs/service_accounts.md
Outdated
| @@ -0,0 +1,112 @@ | |||
| # Tiller and Service Accounts | |||
|
|
|||
| In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that your application is operating in the scope that you have specified. Read more about service account permissions in Kubernetes [in the official docs](https://kubernetes.io/docs/admin/authorization/rbac/#service-account-permissions). Bitnami also has a fantastic guide for [configuring RBAC in your cluster](https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/) that takes you through RBAC basics. | |||
There was a problem hiding this comment.
Nit: Change "Read more about service account permissions in Kubernetes [in the official docs]" to "Read more about service account permissions [in the official Kubernetes docs]". Reads a little cleaner.
michelleN
force-pushed
the
service-account-docs
branch
from
e91657b
to
44303cb
Compare
michelleN
force-pushed
the
service-account-docs
branch
from
44303cb
to
f1bd1e6
Compare
| name: tiller-binding | ||
| namespace: tiller-world | ||
| subjects: | ||
| - kind: ServiceAccount |
There was a problem hiding this comment.
One problem with this approach: Those with the ability to create pods in namespace "tiller-world" can use the "tiller" service account, attaining all the privileges meant for Tiller. That may be too generous when the normal permissions afforded to users are a subset of those you'd like to grant to Tiller.
There was a problem hiding this comment.
Another concern came to mind, after writing earlier: This arrangement is vulnerable to privilege escalation attack from people with limited access to this "tiller-world" namespace.
Say that someone has the following privileges in this namespace, and only these privileges:
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: discover-tiller
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- apiGroups:
- ""
resources:
- pods/portforward
verbs:
- create
# Possibly even more restrictive:
# resourceNames:
# - <name of Tiller pod>With those privileges, this person can run helm --tiller-namespace=tiller-world delete ..., or helm --tiller-namespace=tiller-world install ..., running any pods and reading any Secrets he likes within this namespace to which he wasn't supposed have any such privileges.
| name: tiller-manager | ||
| rules: | ||
| - apiGroups: ["", "extensions", "apps"] | ||
| resources: ["deployments", "replicasets", "pods", "configmaps", "secrets", "namespaces"] |
There was a problem hiding this comment.
It is strange to address the "namespaces" resource in a Role, as opposed to in a ClusterRole.
