fix(charts): least privilege on controller rbac (#421)

padok-team · Dec 6, 2024 · 0aee2c5 · 0aee2c5
1 parent 827f23f
commit 0aee2c5
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 37 deletions.
diff --git a/deploy/charts/burrito/templates/controllers.yaml b/deploy/charts/burrito/templates/controllers.yaml
@@ -143,7 +143,7 @@ metadata:
     {{- toYaml .metadata.annotations | nindent 4 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: burrito-controllers
   labels:
@@ -158,22 +158,4 @@ subjects:
   - kind: ServiceAccount
     name: burrito-controllers
     namespace: {{ $.Release.Namespace }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: burrito-controllers-secrets
-  namespace: {{ $.Release.Namespace }}
-  labels:
-    {{- toYaml .metadata.labels | nindent 4 }}
-  annotations:
-    {{- toYaml .metadata.annotations | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: burrito-controllers-secrets
-subjects:
-  - kind: ServiceAccount
-    name: burrito-controllers
-    namespace: {{ $.Release.Namespace }}
 {{- end }}
diff --git a/deploy/charts/burrito/templates/rbac-controllers.yaml b/deploy/charts/burrito/templates/rbac-controllers.yaml
@@ -43,6 +43,8 @@ rules:
   - list
   - create
   - update
+  - watch
+  - get
 - apiGroups:
   - config.terraform.padok.cloud
   resources:
@@ -160,21 +162,3 @@ rules:
   - update
   - patch
   - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/component: controllers
-    app.kubernetes.io/name: burrito-controllers
-    app.kubernetes.io/part-of: burrito
-  name: burrito-controllers-secrets
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - watch
-  - list
-  - get
diff --git a/deploy/charts/burrito/templates/tenant.yaml b/deploy/charts/burrito/templates/tenant.yaml
@@ -1,3 +1,5 @@
+{{- $metadataControllers := .Values.controllers.metadata }}
+
 {{- range $tenant := .Values.tenants }}
 {{- if $tenant.namespace.create }}
 apiVersion: v1
@@ -13,6 +15,24 @@ spec:
   - kubernetes
 ---
 {{- end }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: burrito-controllers
+  labels:
+    {{- toYaml $metadataControllers.labels | nindent 4 }}
+  annotations:
+    {{- toYaml $metadataControllers.annotations | nindent 4 }}
+  namespace: {{ $tenant.namespace.name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: burrito-controllers
+subjects:
+  - kind: ServiceAccount
+    name: burrito-controllers
+    namespace: {{ $.Release.Namespace }}
+---
 # Default service account for running Burrito pods, this makes it optional to create at least one service account for each tenant
 apiVersion: v1
 kind: ServiceAccount