Merge pull request #8871 from zalando-incubator/eks-secret-read-fixes

mikkeloscar · web-flow · commit b624802a8619 · 2025-03-04T13:40:00.000+01:00
Handle secret read clusterroles
diff --git a/cluster/manifests/02-admission-control/teapot.yaml b/cluster/manifests/02-admission-control/teapot.yaml
@@ -583,4 +583,33 @@ webhooks:
         expression: '!(request.userInfo.username in ["system:kube-controller-manager", "system:kube-scheduler", "zalando-iam:zalando:service:k8sapi_credentials-provider"])'
       - name: 'exclude-eks-components'
         expression: '!request.userInfo.username.startsWith("eks:")'
+  {{- if eq .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
+  - name: clusterrole-admitter.teapot.zalan.do
+    clientConfig:
+      {{- if eq .Cluster.Provider "zalando-eks"}}
+      service:
+        name: "admission-controller"
+        namespace: "kube-system"
+        path: "/clusterrole"
+      {{- else }}
+      url: "https://localhost:8085/clusterrole"
+      {{- end }}
+      caBundle: "{{ .Cluster.ConfigItems.ca_cert_decompressed }}"
+    admissionReviewVersions: ["v1beta1"]
+    failurePolicy: Fail
+    matchPolicy: Equivalent
+    sideEffects: "None"
+    rules:
+      - operations: [ "CREATE", "UPDATE" ]
+        apiGroups: ["rbac.authorization.k8s.io"]
+        apiVersions: ["v1"]
+        resources: ["clusterroles"]
+    matchConditions:
+      - name: 'exclude-privileged-groups'
+        expression: 'request.userInfo.groups.all(g, !(g in ["system:masters", "system:nodes", "system:serviceaccounts:kube-system", "okta:common/administrator", "zalando:administrator"]))'
+      {{- if eq .Cluster.Provider "zalando-eks"}}
+      - name: 'exclude-eks-components'
+        expression: '!request.userInfo.username.startsWith("eks:")'
+      {{- end }}
+  {{- end }}
 {{- end }}
diff --git a/cluster/manifests/deletions.yaml b/cluster/manifests/deletions.yaml
@@ -308,6 +308,11 @@ post_apply:
 - name: role-sync-controller
   kind: ServiceAccount
   namespace: kube-system
+# secret-read role/bindings
+- name: cdp-deployer-poweruser-secret-read
+  kind: ClusterRoleBinding
+- name: deployment-service-executor-poweruser-secret-read
+  kind: ClusterRoleBinding
 {{- end }}
 {{- if ne .Cluster.ConfigItems.kube_janitor_enabled "true" }}
 - name: kube-janitor
diff --git a/cluster/manifests/deployment-service/controller-rbac.yaml b/cluster/manifests/deployment-service/controller-rbac.yaml
@@ -123,6 +123,29 @@ subjects:
     name: "deployment-service-controller"
     namespace: "kube-system"
   # {{ end }}
+# {{ if eq .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: "deployment-service-executor-poweruser-secret-read"
+  labels:
+    application: "deployment-service"
+    component: "controller"
+roleRef:
+  kind: ClusterRole
+  name: poweruser-secret-read
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: User
+    name: zalando-iam:zalando:service:k8sapi-local_deployment-service-executor
+  # {{ if eq .Cluster.Provider "zalando-eks" }}
+  - kind: ServiceAccount
+    name: "deployment-service-controller"
+    namespace: "kube-system"
+  # {{ end }}
+# {{ end }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/cluster/manifests/roles/cdp-deployer-binding.yaml b/cluster/manifests/roles/cdp-deployer-binding.yaml
@@ -10,3 +10,18 @@ subjects:
 - kind: ServiceAccount
   name: cdp
   namespace: default
+# {{ if eq .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: cdp-deployer-poweruser-secret-read
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: poweruser-secret-read
+subjects:
+- kind: ServiceAccount
+  name: cdp
+  namespace: default
+# {{ end }}
diff --git a/cluster/manifests/roles/poweruser-role.yaml b/cluster/manifests/roles/poweruser-role.yaml
@@ -58,21 +58,16 @@ rules:
   - services/proxy
   verbs:
   - get
-{{ if ne .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
+# {{ if ne .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
 - apiGroups:
   - ''
   resources:
   - secrets
   verbs:
-  - create
-  - delete
-  - deletecollection
   - get
   - list
-  - patch
-  - update
   - watch
-{{ end }}
+# {{ end }}
 - apiGroups:
   - ''
   - extensions
@@ -255,3 +250,19 @@ rules:
   - update
   - patch
   - delete
+# {{ if eq .Cluster.ConfigItems.role_sync_controller_enabled "true" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: poweruser-secret-read
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+# {{ end }}
