Least privilege for Kubernetes outposts (on OpenShift)

[jennydaman]

I got the Kubernetes outposts integration working on OpenShift. Setting serviceAccount.create=true doesn't work:

*** is attempting to grant RBAC permissions not currently held:
  {APIGroups:["apiextensions.k8s.io"], Resources:["customresourcedefinitions"], Verbs:["list"]}
  {APIGroups:["traefik.containo.us"], Resources:["middlewares"], Verbs:["get" "create" "delete" "list" "patch"]}
  {APIGroups:["traefik.io"], Resources:["middlewares"], Verbs:["get" "create" "delete" "list" "patch"]}

Those permissions don't seem necessary, so I manually created the ServiceAccount+Role+RoleBinding. See FNNDSC/NERC@ab7eb25#diff-d436a15e1ce6b1359f8b2ac7b0dd7b61f1a96b28a6d0de3a70c75a3fbc73f817

Things seem to be working. Would it be possible to review the rules here?

helm/charts/authentik-remote-cluster/templates/role.yaml

Lines 12 to 53 in 4fd7ffa

	rules:
	- apiGroups:
	- ""
	resources:
	- secrets
	- services
	- configmaps
	verbs:
	{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
	- apiGroups:
	- extensions
	- apps
	resources:
	- deployments
	verbs:
	{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
	- apiGroups:
	- extensions
	- networking.k8s.io
	resources:
	- ingresses
	verbs:
	{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
	- apiGroups:
	- traefik.containo.us
	- traefik.io
	resources:
	- middlewares
	verbs:
	{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
	- apiGroups:
	- monitoring.coreos.com
	resources:
	- servicemonitors
	verbs:
	{{- include "authentik-remote-cluster.api-verbs-rw" . | nindent 6 }}
	- apiGroups:
	- apiextensions.k8s.io
	resources:
	- customresourcedefinitions
	verbs:
	- list

It would be great if unnecessary rules can be removed, and optional roles made optional via values.

[BeryJu]

Those permissions are not used by the outpost container itself (that container actually does not talk to K8s at all), however they are used by the Kubernetes integration in authentik (listing CRDs to check if traefik or prometheus operator are installed, and the respective permissions to manage those objects related to authentik)