Prevent poweruser read secret at cluster role level

Signed-off-by: Mikkel Oscar Lyderik Larsen <[email protected]>

Author: mikkeloscar

cluster/manifests/deletions.yaml

@@ -308,6 +308,11 @@ post_apply:
 - name: role-sync-controller
   kind: ServiceAccount
   namespace: kube-system
+# secret-read role/bindings
+- name: cdp-deployer-poweruser-secret-read
+  kind: ClusterRoleBinding
+- name: deployment-service-executor-poweruser-secret-read
+  kind: ClusterRoleBinding
 {{- end }}
 {{- if ne .Cluster.ConfigItems.kube_janitor_enabled "true" }}
 - name: kube-janitor

cluster/manifests/deployment-service/controller-rbac.yaml

@@ -123,6 +123,29 @@ subjects:
     name: "deployment-service-controller"
     namespace: "kube-system"
   # {{ end }}
+# {{ if eq .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "deployment-service-executor-poweruser-secret-read"
+  labels:
+    application: "deployment-service"
+    component: "controller"
+roleRef:
+  kind: ClusterRole
+  name: poweruser-secret-read
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: zalando-iam:zalando:service:k8sapi-local_deployment-service-executor
+  # {{ if eq .Cluster.Provider "zalando-eks" }}
+  - kind: ServiceAccount
+    name: "deployment-service-controller"
+    namespace: "kube-system"
+  # {{ end }}
+# {{ end }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

cluster/manifests/roles/cdp-deployer-binding.yaml

@@ -10,3 +10,18 @@ subjects:
 - kind: ServiceAccount
   name: cdp
   namespace: default
+# {{ if eq .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cdp-deployer-poweruser-secret-read
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: poweruser-secret-read
+subjects:
+- kind: ServiceAccount
+  name: cdp
+  namespace: default
+# {{ end }}

cluster/manifests/roles/poweruser-role.yaml

@@ -58,6 +58,7 @@ rules:
   - services/proxy
   verbs:
   - get
+# {{ if ne .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
 - apiGroups:
   - ''
   resources:
@@ -66,6 +67,7 @@ rules:
   - get
   - list
   - watch
+# {{ end }}
 - apiGroups:
   - ''
   - extensions
@@ -248,3 +250,19 @@ rules:
   - update
   - patch
   - delete
+# {{ if eq .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: poweruser-secret-read
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+# {{ end }}