From 7a42d149a4252887ba742eb662e3b7c65434ea5c Mon Sep 17 00:00:00 2001 From: shreddedbacon Date: Tue, 3 Dec 2024 20:17:38 +1100 Subject: [PATCH] chore: more rbac proxy --- config/manager/manager.yaml | 3 ++- config/rbac/kustomization.yaml | 21 +++++++++++++------ config/rbac/leader_election_role.yaml | 9 ++++++-- config/rbac/leader_election_role_binding.yaml | 4 ++-- ...proxy_role.yaml => metrics_auth_role.yaml} | 14 ++++++++++++- ...ng.yaml => metrics_auth_role_binding.yaml} | 8 +++---- config/rbac/metrics_reader_role.yaml | 9 ++++++++ config/rbac/role_binding.yaml | 2 +- config/rbac/service_account.yaml | 8 +++++++ 9 files changed, 61 insertions(+), 17 deletions(-) rename config/rbac/{auth_proxy_role.yaml => metrics_auth_role.yaml} (55%) rename config/rbac/{auth_proxy_role_binding.yaml => metrics_auth_role_binding.yaml} (62%) create mode 100644 config/rbac/metrics_reader_role.yaml create mode 100644 config/rbac/service_account.yaml diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index 7cb12c2b..d31e119c 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -32,5 +32,6 @@ spec: resources: requests: cpu: 100m - memory: 20Mi + memory: 400Mi + serviceAccountName: controller-manager terminationGracePeriodSeconds: 10 diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 817f1fe6..3577dde2 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -1,11 +1,20 @@ resources: +# All RBAC will be applied under this service account in +# the deployment namespace. You may comment out this resource +# if your manager will use a service account that exists at +# runtime. Be sure to update RoleBinding and ClusterRoleBinding +# subjects if changing service account names. +- service_account.yaml - role.yaml - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 3 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml +# The following RBAC configurations are used to protect +# the metrics endpoint with authn/authz. These configurations +# ensure that only authorized users and service accounts +# can access the metrics endpoint. Comment the following +# permissions if you want to disable this protection. +# More info: https://book.kubebuilder.io/reference/metrics.html +- metrics_auth_role.yaml +- metrics_auth_role_binding.yaml +- metrics_reader_role.yaml \ No newline at end of file diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml index eaa79158..1e4984e7 100644 --- a/config/rbac/leader_election_role.yaml +++ b/config/rbac/leader_election_role.yaml @@ -17,16 +17,21 @@ rules: - patch - delete - apiGroups: - - "" + - coordination.k8s.io resources: - - configmaps/status + - leases verbs: - get + - list + - watch + - create - update - patch + - delete - apiGroups: - "" resources: - events verbs: - create + - patch \ No newline at end of file diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml index eed16906..4a7819cf 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/config/rbac/leader_election_role_binding.yaml @@ -8,5 +8,5 @@ roleRef: name: leader-election-role subjects: - kind: ServiceAccount - name: default - namespace: system + name: controller-manager + namespace: system \ No newline at end of file diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/metrics_auth_role.yaml similarity index 55% rename from config/rbac/auth_proxy_role.yaml rename to config/rbac/metrics_auth_role.yaml index 618f5e41..5a503734 100644 --- a/config/rbac/auth_proxy_role.yaml +++ b/config/rbac/metrics_auth_role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: proxy-role + name: metrics-auth-role rules: - apiGroups: ["authentication.k8s.io"] resources: @@ -11,3 +11,15 @@ rules: resources: - subjectaccessreviews verbs: ["create"] +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +- apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create \ No newline at end of file diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/metrics_auth_role_binding.yaml similarity index 62% rename from config/rbac/auth_proxy_role_binding.yaml rename to config/rbac/metrics_auth_role_binding.yaml index 48ed1e4b..c59a8024 100644 --- a/config/rbac/auth_proxy_role_binding.yaml +++ b/config/rbac/metrics_auth_role_binding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: proxy-rolebinding + name: metrics-auth-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: proxy-role + name: metrics-auth-role subjects: - kind: ServiceAccount - name: default - namespace: system + name: controller-manager + namespace: system \ No newline at end of file diff --git a/config/rbac/metrics_reader_role.yaml b/config/rbac/metrics_reader_role.yaml new file mode 100644 index 00000000..50fbca54 --- /dev/null +++ b/config/rbac/metrics_reader_role.yaml @@ -0,0 +1,9 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: metrics-reader +rules: +- nonResourceURLs: + - "/metrics" + verbs: + - get \ No newline at end of file diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 8f265870..2070ede4 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -8,5 +8,5 @@ roleRef: name: manager-role subjects: - kind: ServiceAccount - name: default + name: controller-manager namespace: system diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml new file mode 100644 index 00000000..d9ceb1cd --- /dev/null +++ b/config/rbac/service_account.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: project-v4 + app.kubernetes.io/managed-by: kustomize + name: controller-manager + namespace: system \ No newline at end of file