Skip to content

Commit 392fcbf

Browse files
committed
Handle secret read clusterroles
Signed-off-by: Mikkel Oscar Lyderik Larsen <[email protected]>
1 parent ff23519 commit 392fcbf

File tree

2 files changed

+29
-7
lines changed

2 files changed

+29
-7
lines changed

cluster/manifests/02-admission-control/teapot.yaml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -583,4 +583,33 @@ webhooks:
583583
expression: '!(request.userInfo.username in ["system:kube-controller-manager", "system:kube-scheduler", "zalando-iam:zalando:service:k8sapi_credentials-provider"])'
584584
- name: 'exclude-eks-components'
585585
expression: '!request.userInfo.username.startsWith("eks:")'
586+
{{- if eq .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
587+
- name: clusterrole-admitter.teapot.zalan.do
588+
clientConfig:
589+
{{- if eq .Cluster.Provider "zalando-eks"}}
590+
service:
591+
name: "admission-controller"
592+
namespace: "kube-system"
593+
path: "/node"
594+
{{- else }}
595+
url: "https://localhost:8085/clusterrole"
596+
{{- end }}
597+
caBundle: "{{ .Cluster.ConfigItems.ca_cert_decompressed }}"
598+
admissionReviewVersions: ["v1beta1"]
599+
failurePolicy: Fail
600+
matchPolicy: Equivalent
601+
sideEffects: "None"
602+
rules:
603+
- operations: [ "CREATE", "UPDATE" ]
604+
apiGroups: ["rbac.authorization.k8s.io"]
605+
apiVersions: ["v1"]
606+
resources: ["clusterroles"]
607+
matchConditions:
608+
- name: 'exclude-privileged-groups'
609+
expression: 'request.userInfo.groups.all(g, !(g in ["system:masters", "system:nodes", "system:serviceaccounts:kube-system", "okta:common/administrator", "zalando:administrator"]))'
610+
{{- if eq .Cluster.Provider "zalando-eks"}}
611+
- name: 'exclude-eks-components'
612+
expression: '!request.userInfo.username.startsWith("eks:")'
613+
{{- end }}
614+
{{- end }}
586615
{{- end }}

cluster/manifests/roles/poweruser-role.yaml

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -58,21 +58,14 @@ rules:
5858
- services/proxy
5959
verbs:
6060
- get
61-
{{ if ne .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
6261
- apiGroups:
6362
- ''
6463
resources:
6564
- secrets
6665
verbs:
67-
- create
68-
- delete
69-
- deletecollection
7066
- get
7167
- list
72-
- patch
73-
- update
7468
- watch
75-
{{ end }}
7669
- apiGroups:
7770
- ''
7871
- extensions

0 commit comments

Comments
 (0)