mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-11-21 13:50:20 +00:00
helm: add least privileges logic for secrets on ceph-csi-cephfs chart
this allows the encryption KMS config to be granted secret access with a least privilges policy. Signed-off-by: Antoine C <hi@acolombier.dev>
This commit is contained in:
parent
cc407d157e
commit
3e9b438e7c
@ -83,6 +83,16 @@ storageClass:
|
|||||||
encryptionKMSID: kubernetes
|
encryptionKMSID: kubernetes
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Least privilege secret access
|
||||||
|
|
||||||
|
If you use the `metadata` and let RBAC created by the chart, permissions
|
||||||
|
will be given to access **only** the secret referenced in the
|
||||||
|
`encryptionKMSConfig`. This is something important to keep in mind, as a
|
||||||
|
manual change to the config to point to another secret or add further KMS
|
||||||
|
config will not be authorized. If you wish to give CephCSI a global secret
|
||||||
|
access to the cluster, you may set `rbac.leastPrivileges` to `false`, and
|
||||||
|
permissions will be granted globally via a *ClusterRole*.
|
||||||
|
|
||||||
#### Known Issues Upgrading
|
#### Known Issues Upgrading
|
||||||
|
|
||||||
- When upgrading to version >=3.7.0, you might encounter an error that the
|
- When upgrading to version >=3.7.0, you might encounter an error that the
|
||||||
@ -127,6 +137,7 @@ charts and their default values.
|
|||||||
| Parameter | Description | Default |
|
| Parameter | Description | Default |
|
||||||
| ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- |
|
| ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------- |
|
||||||
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
|
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
|
||||||
|
| `rbac.leastPrivileges` | Specifies whether RBAC resources should be created with a restricted scope when supported (only secrets supported currently) | `true` |
|
||||||
| `serviceAccounts.nodeplugin.create` | Specifies whether a nodeplugin ServiceAccount should be created | `true` |
|
| `serviceAccounts.nodeplugin.create` | Specifies whether a nodeplugin ServiceAccount should be created | `true` |
|
||||||
| `serviceAccounts.nodeplugin.name` | The name of the nodeplugin ServiceAccount to use. If not set and create is true, a name is generated using the fullname | "" |
|
| `serviceAccounts.nodeplugin.name` | The name of the nodeplugin ServiceAccount to use. If not set and create is true, a name is generated using the fullname | "" |
|
||||||
| `serviceAccounts.provisioner.create` | Specifies whether a provisioner ServiceAccount should be created | `true` |
|
| `serviceAccounts.provisioner.create` | Specifies whether a provisioner ServiceAccount should be created | `true` |
|
||||||
|
@ -3,7 +3,6 @@ kind: ClusterRole
|
|||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||||
namespace: {{ .Release.Namespace }}
|
|
||||||
labels:
|
labels:
|
||||||
app: {{ include "ceph-csi-cephfs.name" . }}
|
app: {{ include "ceph-csi-cephfs.name" . }}
|
||||||
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||||
@ -19,7 +18,7 @@ rules:
|
|||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["configmaps"]
|
resources: ["configmaps"]
|
||||||
verbs: ["get"]
|
verbs: ["get"]
|
||||||
{{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace (not (eq .Values.encryptionKMSConfig.secretNamespace .Release.Namespace)) }}
|
{{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace (not .Values.rbac.leastPrivileges) }}
|
||||||
# allow to read the encryption key used with the metadata KMS
|
# allow to read the encryption key used with the metadata KMS
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["secrets"]
|
resources: ["secrets"]
|
||||||
|
@ -1,9 +1,10 @@
|
|||||||
{{- if .Values.rbac.create -}}
|
{{- if and .Values.rbac.create .Values.rbac.leastPrivileges -}}
|
||||||
{{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace .Values.encryptionKMSConfig.secretName (eq .Values.encryptionKMSConfig.secretNamespace .Release.Namespace) -}}
|
{{- if and .Values.encryptionKMSConfig (eq .Values.encryptionKMSConfig.encryptionKMSType "metadata") .Values.encryptionKMSConfig.secretNamespace .Values.encryptionKMSConfig.secretName -}}
|
||||||
kind: Role
|
kind: Role
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||||
|
namespace: {{ .Values.encryptionKMSConfig.secretNamespace }}
|
||||||
labels:
|
labels:
|
||||||
app: {{ include "ceph-csi-cephfs.name" . }}
|
app: {{ include "ceph-csi-cephfs.name" . }}
|
||||||
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||||
|
@ -1,10 +1,10 @@
|
|||||||
{{- if .Values.rbac.create -}}
|
{{- if and .Values.rbac.create .Values.rbac.leastPrivileges -}}
|
||||||
{{- if and (eq .Values.encryptionKMSConfig.encryptionKMSType "metadata") (eq .Values.encryptionKMSConfig.secretNamespace .Release.Namespace) -}}
|
{{- if and .Values.encryptionKMSConfig (eq .Values.encryptionKMSConfig.encryptionKMSType "metadata") .Values.encryptionKMSConfig.secretNamespace -}}
|
||||||
kind: RoleBinding
|
kind: RoleBinding
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
|
||||||
namespace: {{ .Release.Namespace }}
|
namespace: {{ .Values.encryptionKMSConfig.secretNamespace }}
|
||||||
labels:
|
labels:
|
||||||
app: {{ include "ceph-csi-cephfs.name" . }}
|
app: {{ include "ceph-csi-cephfs.name" . }}
|
||||||
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
chart: {{ include "ceph-csi-cephfs.chart" . }}
|
||||||
|
@ -2,6 +2,9 @@
|
|||||||
rbac:
|
rbac:
|
||||||
# Specifies whether RBAC resources should be created
|
# Specifies whether RBAC resources should be created
|
||||||
create: true
|
create: true
|
||||||
|
# When possible try and reduce the scope of permission to only give
|
||||||
|
# access to resources defined in the config. See the README for more info
|
||||||
|
leastPrivileges: true
|
||||||
|
|
||||||
serviceAccounts:
|
serviceAccounts:
|
||||||
nodeplugin:
|
nodeplugin:
|
||||||
|
Loading…
Reference in New Issue
Block a user