allow secret access permissions in release namespace only

Signed-off-by: rksharma95 <[email protected]>
kubearmor · Apr 17, 2024 · 1f0c864 · 1f0c864
1 parent f2ccb43
commit 1f0c864
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 2 deletions.
diff --git a/deployments/helm/KubeArmorOperator/templates/clusterrole-binding-rbac.yaml b/deployments/helm/KubeArmorOperator/templates/clusterrole-binding-rbac.yaml
@@ -25,6 +25,20 @@ subjects:
   namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.kubearmorOperator.name }}-tls-secrets-rolebinding
+  namespace: {{.Release.Namespace}}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Values.kubearmorOperator.name }}-tls-secrets-role
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.kubearmorOperator.name }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: {{ .Values.kubearmorOperator.name }}-manage-controller-clusterrole-binding

diff --git a/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml b/deployments/helm/KubeArmorOperator/templates/clusterrole-rbac.yaml
@@ -21,7 +21,6 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - secrets
   - serviceaccounts
   - services
   - configmaps
@@ -214,4 +213,32 @@ rules:
 - nonResourceURLs:
   - /metrics
   verbs:
-  - get  
+  - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.kubearmorOperator.name }}-tls-secrets-role
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - update
+  - delete
+  resourceNames:
+  - {{ .Values.tlsSecrets.kubearmorCa }}
+  - {{ .Values.tlsSecrets.kubearmorClient }}
+  - {{ .Values.tlsSecrets.relayServer }}
+  - {{ .Values.tlsSecrets.controllerWebhook }}
+# cannot restric create by resource name, https://kubernetes.io/docs/reference/access-authn-authz/rbac/  
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+---
diff --git a/deployments/helm/KubeArmorOperator/values.yaml b/deployments/helm/KubeArmorOperator/values.yaml
@@ -16,3 +16,12 @@ kubearmorConfig:
   enableStdOutAlerts: false
   enableStdOutMsgs: false
   seccompEnabled: true
+
+# DO NOT CHANGE THIS VALUES 
+# changing these values will require code changes with the operator
+# these secret names should match with the secrets managed by the operator
+tlsSecrets:
+  kubearmorCa: kubearmor-ca
+  kubearmorClient: kubearmor-client-certs
+  relayServer: kubearmor-relay-server-certs
+  controllerWebhook: kubearmor-controller-webhook-server-cert