From 792a278867f9966154f8a115db9f917d7b6d3f2d Mon Sep 17 00:00:00 2001 From: Shubham Chaudhary Date: Thu, 25 Apr 2024 16:02:02 +0530 Subject: [PATCH] chore(rbac): Restructure RBACs to resolve secrets/cm poisoning (separate roles restriction) Signed-off-by: Shubham Chaudhary --- .../manifests/cluster/1b_argo_rbac.yaml | 51 ++++++------------- .../cluster/2b_litmus_admin_rbac.yaml | 31 +++++++---- .../manifests/cluster/3a_agents_rbac.yaml | 46 +++++++++++------ .../manifests/namespace/1a_argo_rbac.yaml | 42 +++++---------- .../namespace/2a_litmus_admin_rbac.yaml | 29 +++++++---- .../manifests/namespace/3a_agents_rbac.yaml | 49 +++++++++++------- 6 files changed, 130 insertions(+), 118 deletions(-) diff --git a/chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml b/chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml index 41cfdc5912b..3846bf8fd99 100644 --- a/chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml +++ b/chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml @@ -6,48 +6,27 @@ metadata: namespace: #{INFRA_NAMESPACE} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: ClusterRoleBinding metadata: - name: chaos-cluster-role -rules: - # for managing the pods created by workflow controller to implement individual steps in the workflow - - apiGroups: [''] - resources: ['pods', 'services'] - verbs: ['create', 'get', 'watch', 'patch', 'delete', 'list'] - - apiGroups: [''] - resources: ['namespaces'] - verbs: ['get', 'watch', 'patch', 'list'] - - # for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow - - apiGroups: [''] - resources: ['pods/log', 'pods/exec'] - verbs: ['get', 'watch', 'create', 'delete', 'patch'] - - apiGroups: [''] - resources: ['secrets', 'configmaps'] - verbs: ['get', 'watch', 'create', 'patch'] - - # for creation & deletion of application in predefined workflows - - apiGroups: ['apps'] - resources: ['deployments'] - verbs: ['delete'] - - apiGroups: ['apps'] - resources: ['deployments', 'statefulsets'] - verbs: ['get', 'watch', 'patch' , 'create'] - - # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - - apiGroups: ["litmuschaos.io"] - resources: - ["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"] - verbs: ["create", "list", "get", "patch", "delete", "watch"] + name: argo-chaos-infra-cluster-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: infra-cluster-role +subjects: + - kind: ServiceAccount + name: argo-chaos + namespace: #{INFRA_NAMESPACE} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: - name: chaos-cluster-role-binding + name: argo-chaos-ops-role-binding + namespace: #{INFRA_NAMESPACE} roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: chaos-cluster-role + kind: Role + name: infra-ops-role subjects: - kind: ServiceAccount name: argo-chaos diff --git a/chaoscenter/graphql/server/manifests/cluster/2b_litmus_admin_rbac.yaml b/chaoscenter/graphql/server/manifests/cluster/2b_litmus_admin_rbac.yaml index fc60ab50d66..854b3ecfa3e 100644 --- a/chaoscenter/graphql/server/manifests/cluster/2b_litmus_admin_rbac.yaml +++ b/chaoscenter/graphql/server/manifests/cluster/2b_litmus_admin_rbac.yaml @@ -11,9 +11,9 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: litmus-admin + name: litmus-admin-cluster-role labels: - name: litmus-admin + name: litmus-admin-cluster-role rules: # *************************************************************************************** # Permissions needed for preparing and monitor the chaos resources by chaos-runner @@ -30,11 +30,6 @@ rules: resources: ["events"] verbs: ["create","get","list","patch","update"] - # for fetching configmaps and secrets to inject into chaos-runner pod (if specified) - - apiGroups: [""] - resources: ["secrets", "configmaps"] - verbs: ["get", "list"] - # for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner - apiGroups: [""] resources: ["pods/log"] @@ -110,13 +105,29 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: litmus-admin + name: litmus-admin-cluster-role-binding labels: - name: litmus-admin + name: litmus-admin-cluster-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: litmus-admin + name: litmus-admin-cluster-role +subjects: + - kind: ServiceAccount + name: litmus-admin + namespace: #{INFRA_NAMESPACE} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: litmus-admin-ops-role-binding + namespace: #{INFRA_NAMESPACE} + labels: + name: litmus-admin-ops-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: infra-ops-role subjects: - kind: ServiceAccount name: litmus-admin diff --git a/chaoscenter/graphql/server/manifests/cluster/3a_agents_rbac.yaml b/chaoscenter/graphql/server/manifests/cluster/3a_agents_rbac.yaml index 3c10b2840da..3557c63779b 100644 --- a/chaoscenter/graphql/server/manifests/cluster/3a_agents_rbac.yaml +++ b/chaoscenter/graphql/server/manifests/cluster/3a_agents_rbac.yaml @@ -8,11 +8,6 @@ rules: # Permissions needed for orchestration and monitoring chaos by chaos-operator and chaos-exporter # *********************************************************************************************** - # for mounting the secrets to the chaos-runner pod - - apiGroups: [ "" ] - resources: [ "secrets" ] - verbs: [ "get", "list" ] - # for deriving the owner references of the operator pod - apiGroups: [ "apps" ] resources: [ "deployments", "replicasets"] @@ -28,9 +23,9 @@ rules: resources: [ "pods" ] verbs: ["get", "create", "update", "patch", "delete", "list", "watch", "deletecollection" ] - # for creating of events, monitoring and leader election + # for creating of events and monitoring - apiGroups: [ "" ] - resources: [ "configmaps", "events", "services" ] + resources: [ "events", "services" ] verbs: ["get", "create", "update", "patch", "list", "watch" ] # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow @@ -57,10 +52,6 @@ rules: # Permissions needed to manage and communicate between control plane and execution plane by subscriber # ******************************************************************************************************* - - apiGroups: [ "" ] - resources: [ "configmaps", "secrets" ] - verbs: [ "get", "create", "delete", "update", "patch" ] - - apiGroups: [ "batch" ] resources: [ "jobs" ] verbs: [ "get", "create", "patch", "update" ] @@ -74,7 +65,7 @@ rules: verbs: [ "get", "list", "watch" ] - apiGroups: [ "litmuschaos.io" ] - resources: [ "chaosengines", "chaosschedules", "chaosresults" ] + resources: [ "chaosengines", "chaosschedules", "chaosresults", "chaosschedules" ] verbs: [ "get", "list", "create", "delete", "update", "watch", "patch" ] - apiGroups: [ "apps.openshift.io" ] @@ -111,9 +102,6 @@ rules: - apiGroups: [ "" ] resources: [ "pods", "pods/exec" ] verbs: [ "create", "get", "list", "watch", "update", "patch", "delete" ] - - apiGroups: [ "" ] - resources: [ "configmaps" ] - verbs: [ "get", "watch", "list" ] - apiGroups: [ "" ] resources: [ "persistentvolumeclaims" ] verbs: [ "create", "delete" ] @@ -163,3 +151,31 @@ subjects: - kind: ServiceAccount name: #{INFRA_SERVICE_ACCOUNT} namespace: #{INFRA_NAMESPACE} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: infra-ops-role + namespace: #{INFRA_NAMESPACE} +rules: + - apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: [ "get", "create", "delete", "update", "patch" ] + + - apiGroups: [ "" ] + resources: [ "configmaps"] + verbs: ["get", "create", "update", "patch", "list", "watch" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: infra-ops-role-binding + namespace: #{INFRA_NAMESPACE} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: infra-ops-role +subjects: + - kind: ServiceAccount + name: #{INFRA_SERVICE_ACCOUNT} + namespace: #{INFRA_NAMESPACE} diff --git a/chaoscenter/graphql/server/manifests/namespace/1a_argo_rbac.yaml b/chaoscenter/graphql/server/manifests/namespace/1a_argo_rbac.yaml index f91f931b577..e577568ffa2 100644 --- a/chaoscenter/graphql/server/manifests/namespace/1a_argo_rbac.yaml +++ b/chaoscenter/graphql/server/manifests/namespace/1a_argo_rbac.yaml @@ -6,46 +6,28 @@ metadata: namespace: #{INFRA_NAMESPACE} --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: RoleBinding metadata: - name: chaos-role + name: argo-chaos-infra-role-binding namespace: #{INFRA_NAMESPACE} -rules: - # for managing the pods created by workflow controller to implement individual steps in the workflow - - apiGroups: [""] - resources: ["pods", "services"] - verbs: ["create", "get", "watch", "patch", "delete", "list"] - - # for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow - - apiGroups: [''] - resources: ['pods/log', 'pods/exec'] - verbs: ['get', 'watch', 'create', 'delete', 'patch'] - - apiGroups: [''] - resources: ['secrets', 'configmaps'] - verbs: ['get', 'watch', 'create', 'patch'] - - # for creation & deletion of application in predefined workflows - - apiGroups: ['apps'] - resources: ['deployments'] - verbs: ['delete'] - - apiGroups: ['apps'] - resources: ['deployments', 'statefulsets'] - verbs: ['get', 'watch', 'patch' , 'create'] - - # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow - - apiGroups: ["litmuschaos.io"] - resources: ["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"] - verbs: ["create", "list", "get", "patch", "delete", "watch"] +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: infra-role +subjects: + - kind: ServiceAccount + name: argo-chaos + namespace: #{INFRA_NAMESPACE} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: chaos-role-binding + name: argo-chaos-ops-role-binding namespace: #{INFRA_NAMESPACE} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: chaos-role + name: infra-ops-role subjects: - kind: ServiceAccount name: argo-chaos diff --git a/chaoscenter/graphql/server/manifests/namespace/2a_litmus_admin_rbac.yaml b/chaoscenter/graphql/server/manifests/namespace/2a_litmus_admin_rbac.yaml index 2d12ead082c..0bba6feda8c 100644 --- a/chaoscenter/graphql/server/manifests/namespace/2a_litmus_admin_rbac.yaml +++ b/chaoscenter/graphql/server/manifests/namespace/2a_litmus_admin_rbac.yaml @@ -10,10 +10,10 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: litmus-admin + name: litmus-admin-role namespace: #{INFRA_NAMESPACE} labels: - name: litmus-admin + name: litmus-admin-role rules: # *************************************************************************************** # Permissions needed for preparing and monitor the chaos resources by chaos-runner @@ -30,11 +30,6 @@ rules: resources: ["events"] verbs: ["create", "get", "list", "patch", "update"] - # for fetching configmaps and secrets to inject into chaos-runner pod (if specified) - - apiGroups: [""] - resources: ["secrets", "configmaps"] - verbs: ["get", "list"] - # for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner - apiGroups: [""] resources: ["pods/log"] @@ -105,14 +100,30 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: litmus-admin + name: litmus-admin-role-binding namespace: #{INFRA_NAMESPACE} labels: + name: litmus-admin-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: litmus-admin-role +subjects: + - kind: ServiceAccount name: litmus-admin + namespace: #{INFRA_NAMESPACE} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: litmus-admin-ops-role-binding + namespace: #{INFRA_NAMESPACE} + labels: + name: litmus-admin-ops-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: litmus-admin + name: infra-ops-role subjects: - kind: ServiceAccount name: litmus-admin diff --git a/chaoscenter/graphql/server/manifests/namespace/3a_agents_rbac.yaml b/chaoscenter/graphql/server/manifests/namespace/3a_agents_rbac.yaml index 49260a9c79e..f5f77cbed04 100644 --- a/chaoscenter/graphql/server/manifests/namespace/3a_agents_rbac.yaml +++ b/chaoscenter/graphql/server/manifests/namespace/3a_agents_rbac.yaml @@ -11,11 +11,6 @@ rules: # Permissions needed for orchestration and monitoring chaos by chaos-operator and chaos-exporter # *********************************************************************************************** - # for mounting the secrets to the chaos-runner pod - - apiGroups: [ "" ] - resources: ["secrets" ] - verbs: [ "get", "list" ] - # for deriving the owner references of the operator pod - apiGroups: [ "apps" ] resources: [ "deployments", "replicasets"] @@ -31,9 +26,9 @@ rules: resources: [ "pods"] verbs: ["get", "create", "update", "patch", "delete", "list", "watch", "deletecollection" ] - # for creating of events, monitoring and leader election + # for creating of events and monitoring - apiGroups: [ "" ] - resources: [ "configmaps", "events", "services" ] + resources: [ "events", "services" ] verbs: ["get", "create", "update", "patch", "list", "watch" ] # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow @@ -55,10 +50,6 @@ rules: # Permissions needed to manage and communicate between control plane and execution plane by subscriber # ******************************************************************************************************* - - apiGroups: [ "" ] - resources: [ "configmaps", "secrets" ] - verbs: [ "get", "create", "delete", "update", "patch" ] - - apiGroups: [ "" ] resources: [ "pods/log" ] verbs: [ "get", "list", "watch" ] @@ -68,7 +59,7 @@ rules: verbs: [ "get", "list", "watch" ] - apiGroups: [ "litmuschaos.io" ] - resources: [ "chaosengines", "chaosschedules", "chaosresults" ] + resources: [ "chaosengines", "chaosschedules", "chaosresults", "chaosschedules" ] verbs: [ "get", "list", "create", "delete", "update", "watch", "patch" ] - apiGroups: [ "apps.openshift.io" ] @@ -101,9 +92,6 @@ rules: - apiGroups: [ "" ] resources: [ "pods", "pods/exec" ] verbs: [ "create", "get", "list", "watch", "update", "patch", "delete" ] - - apiGroups: [ "" ] - resources: [ "configmaps" ] - verbs: [ "get", "watch", "list" ] - apiGroups: [ "" ] resources: [ "persistentvolumeclaims" ] verbs: [ "create", "delete" ] @@ -119,9 +107,6 @@ rules: - apiGroups: [ "" ] resources: [ "serviceaccounts" ] verbs: [ "get", "list" ] - - apiGroups: [ "" ] - resources: [ "secrets" ] - verbs: [ "get" ] - apiGroups: [ "argoproj.io" ] resources: [ "cronworkflows", "cronworkflows/finalizers" ] verbs: [ "get", "list", "watch", "update", "patch", "delete" ] @@ -157,3 +142,31 @@ roleRef: kind: Role name: infra-role apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: infra-ops-role + namespace: #{INFRA_NAMESPACE} +rules: + - apiGroups: [ "" ] + resources: [ "secrets" ] + verbs: [ "get", "create", "delete", "update", "patch" ] + + - apiGroups: [ "" ] + resources: [ "configmaps"] + verbs: ["get", "create", "update", "patch", "list", "watch" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: infra-ops-role-binding + namespace: #{INFRA_NAMESPACE} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: infra-ops-role +subjects: + - kind: ServiceAccount + name: #{INFRA_SERVICE_ACCOUNT} + namespace: #{INFRA_NAMESPACE}