From b9aa79fc612b0f82a26c08848bb835d61f723803 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Tue, 12 Nov 2024 13:38:53 +0000 Subject: [PATCH] Verify the Helm chart RBAC template Signed-off-by: Richard Wall --- .../templates/rbac-static.yaml | 26 ++ .../templates/rbac.yaml | 326 ++++++++++++++++-- examples/venafi-kubernetes-agent.yaml | 208 +++++++++++ make/02_mod.mk | 19 + pkg/permissions/generate.go | 6 +- 5 files changed, 545 insertions(+), 40 deletions(-) create mode 100644 deploy/charts/venafi-kubernetes-agent/templates/rbac-static.yaml create mode 100644 examples/venafi-kubernetes-agent.yaml diff --git a/deploy/charts/venafi-kubernetes-agent/templates/rbac-static.yaml b/deploy/charts/venafi-kubernetes-agent/templates/rbac-static.yaml new file mode 100644 index 00000000..09103e38 --- /dev/null +++ b/deploy/charts/venafi-kubernetes-agent/templates/rbac-static.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-event-emitted + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-event-emitted + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "venafi-kubernetes-agent.fullname" . }}-event-emitted +subjects: + - kind: ServiceAccount + name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/deploy/charts/venafi-kubernetes-agent/templates/rbac.yaml b/deploy/charts/venafi-kubernetes-agent/templates/rbac.yaml index 1266b11f..77898439 100644 --- a/deploy/charts/venafi-kubernetes-agent/templates/rbac.yaml +++ b/deploy/charts/venafi-kubernetes-agent/templates/rbac.yaml @@ -1,40 +1,51 @@ --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: - name: {{ include "venafi-kubernetes-agent.fullname" . }}-event-emitted + name: {{ include "venafi-kubernetes-agent.fullname" . }}-node-reader labels: {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} rules: - apiGroups: [""] - resources: ["events"] - verbs: ["create"] + resources: ["nodes"] + verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: - name: {{ include "venafi-kubernetes-agent.fullname" . }}-event-emitted + name: {{ include "venafi-kubernetes-agent.fullname" . }}-node-reader labels: {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} roleRef: + kind: ClusterRole + name: {{ include "venafi-kubernetes-agent.fullname" . }}-node-reader apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "venafi-kubernetes-agent.fullname" . }}-event-emitted subjects: - kind: ServiceAccount name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-secret-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "venafi-kubernetes-agent.fullname" . }}-cluster-viewer + name: {{ include "venafi-kubernetes-agent.fullname" . }}-secret-reader labels: {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} roleRef: - apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: view + name: {{ include "venafi-kubernetes-agent.fullname" . }}-secret-reader + apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} @@ -43,24 +54,25 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "venafi-kubernetes-agent.fullname" . }}-node-reader + name: {{ include "venafi-kubernetes-agent.fullname" . }}-certificaterequests-reader labels: {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} rules: - - apiGroups: [""] - resources: ["nodes"] + - apiGroups: ["cert-manager.io"] + resources: + - certificaterequests verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "venafi-kubernetes-agent.fullname" . }}-node-reader + name: {{ include "venafi-kubernetes-agent.fullname" . }}-certificaterequests-reader labels: {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} roleRef: - kind: ClusterRole - name: {{ include "venafi-kubernetes-agent.fullname" . }}-node-reader apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "venafi-kubernetes-agent.fullname" . }}-certificaterequests-reader subjects: - kind: ServiceAccount name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} @@ -69,24 +81,25 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "venafi-kubernetes-agent.fullname" . }}-secret-reader + name: {{ include "venafi-kubernetes-agent.fullname" . }}-certificates-reader labels: {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} rules: - - apiGroups: [""] - resources: ["secrets"] + - apiGroups: ["cert-manager.io"] + resources: + - certificates verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "venafi-kubernetes-agent.fullname" . }}-secret-reader + name: {{ include "venafi-kubernetes-agent.fullname" . }}-certificates-reader labels: {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} roleRef: - kind: ClusterRole - name: {{ include "venafi-kubernetes-agent.fullname" . }}-secret-reader apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "venafi-kubernetes-agent.fullname" . }}-certificates-reader subjects: - kind: ServiceAccount name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} @@ -95,28 +108,52 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "venafi-kubernetes-agent.fullname" . }}-cert-manager-reader + name: {{ include "venafi-kubernetes-agent.fullname" . }}-clusterissuers-reader labels: {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} rules: - apiGroups: ["cert-manager.io"] resources: - - certificates - - certificaterequests - - issuers - clusterissuers verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "venafi-kubernetes-agent.fullname" . }}-cert-manager-reader + name: {{ include "venafi-kubernetes-agent.fullname" . }}-clusterissuers-reader labels: {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} roleRef: + apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "venafi-kubernetes-agent.fullname" . }}-cert-manager-reader + name: {{ include "venafi-kubernetes-agent.fullname" . }}-clusterissuers-reader +subjects: + - kind: ServiceAccount + name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-issuers-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +rules: + - apiGroups: ["cert-manager.io"] + resources: + - issuers + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-issuers-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +roleRef: apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "venafi-kubernetes-agent.fullname" . }}-issuers-reader subjects: - kind: ServiceAccount name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} @@ -125,26 +162,52 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "venafi-kubernetes-agent.fullname" . }}-googlecas-reader + name: {{ include "venafi-kubernetes-agent.fullname" . }}-googlecasclusterissuers-reader labels: {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} rules: - apiGroups: ["cas-issuer.jetstack.io"] resources: - - googlecasissuers - googlecasclusterissuers verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "venafi-kubernetes-agent.fullname" . }}-googlecas-reader + name: {{ include "venafi-kubernetes-agent.fullname" . }}-googlecasclusterissuers-reader labels: {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} roleRef: + apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "venafi-kubernetes-agent.fullname" . }}-googlecas-reader + name: {{ include "venafi-kubernetes-agent.fullname" . }}-googlecasclusterissuers-reader +subjects: + - kind: ServiceAccount + name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-googlecasissuers-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +rules: + - apiGroups: ["cas-issuer.jetstack.io"] + resources: + - googlecasissuers + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-googlecasissuers-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +roleRef: apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "venafi-kubernetes-agent.fullname" . }}-googlecasissuers-reader subjects: - kind: ServiceAccount name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} @@ -153,26 +216,52 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "venafi-kubernetes-agent.fullname" . }}-awspca-reader + name: {{ include "venafi-kubernetes-agent.fullname" . }}-awspcaissuers-reader labels: {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} rules: - apiGroups: ["awspca.cert-manager.io"] resources: - awspcaissuers - - awspcaclusterissuers verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "venafi-kubernetes-agent.fullname" . }}-awspca-reader + name: {{ include "venafi-kubernetes-agent.fullname" . }}-awspcaissuers-reader labels: {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} roleRef: + apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ include "venafi-kubernetes-agent.fullname" . }}-awspca-reader + name: {{ include "venafi-kubernetes-agent.fullname" . }}-awspcaissuers-reader +subjects: + - kind: ServiceAccount + name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-awspcaclusterissuers-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +rules: + - apiGroups: ["awspca.cert-manager.io"] + resources: + - awspcaclusterissuers + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-awspcaclusterissuers-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +roleRef: apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "venafi-kubernetes-agent.fullname" . }}-awspcaclusterissuers-reader subjects: - kind: ServiceAccount name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} @@ -288,3 +377,166 @@ subjects: - kind: ServiceAccount name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-cronjobs-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +rules: + - apiGroups: ["batch"] + resources: + - cronjobs + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-cronjobs-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "venafi-kubernetes-agent.fullname" . }}-cronjobs-reader +subjects: + - kind: ServiceAccount + name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-jobs-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +rules: + - apiGroups: ["batch"] + resources: + - jobs + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-jobs-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "venafi-kubernetes-agent.fullname" . }}-jobs-reader +subjects: + - kind: ServiceAccount + name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-daemonsets-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + resources: + - daemonsets + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-daemonsets-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "venafi-kubernetes-agent.fullname" . }}-daemonsets-reader +subjects: + - kind: ServiceAccount + name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-deployments-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +rules: + - apiGroups: ["apps"] + resources: + - deployments + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-deployments-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "venafi-kubernetes-agent.fullname" . }}-deployments-reader +subjects: + - kind: ServiceAccount + name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-gateways-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +rules: + - apiGroups: ["networking.istio.io"] + resources: + - gateways + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-gateways-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "venafi-kubernetes-agent.fullname" . }}-gateways-reader +subjects: + - kind: ServiceAccount + name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-ingresses-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +rules: + - apiGroups: ["networking.k8s.io"] + resources: + - ingresses + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "venafi-kubernetes-agent.fullname" . }}-ingresses-reader + labels: + {{- include "venafi-kubernetes-agent.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "venafi-kubernetes-agent.fullname" . }}-ingresses-reader +subjects: + - kind: ServiceAccount + name: {{ include "venafi-kubernetes-agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- diff --git a/examples/venafi-kubernetes-agent.yaml b/examples/venafi-kubernetes-agent.yaml new file mode 100644 index 00000000..6f1f2b1f --- /dev/null +++ b/examples/venafi-kubernetes-agent.yaml @@ -0,0 +1,208 @@ +cluster_id: "example-cluster-1" +cluster_description: "" +server: "https://api.venafi.cloud/" +period: "0h1m0s" +venafi-cloud: + uploader_id: "no" + upload_path: "/v1/tlspk/upload/clusterdata" +data-gatherers: + # gather k8s apiserver version information + - kind: "k8s-discovery" + name: "k8s-discovery" + # pods data is used in the pods and application_versions packages + - kind: "k8s-dynamic" + name: "k8s/pods" + config: + resource-type: + resource: pods + version: v1 + - kind: "k8s-dynamic" + name: "k8s/namespaces" + config: + resource-type: + resource: namespaces + version: v1 + # gather services for pod readiness probe rules + - kind: "k8s-dynamic" + name: "k8s/services" + config: + resource-type: + resource: services + version: v1 + # gather higher level resources to ensure data to determine ownership is present + - kind: "k8s-dynamic" + name: "k8s/deployments" + config: + resource-type: + version: v1 + resource: deployments + group: apps + - kind: "k8s-dynamic" + name: "k8s/replicasets" + config: + resource-type: + version: v1 + resource: replicasets + group: apps + - kind: "k8s-dynamic" + name: "k8s/statefulsets" + config: + resource-type: + version: v1 + resource: statefulsets + group: apps + - kind: "k8s-dynamic" + name: "k8s/daemonsets" + config: + resource-type: + version: v1 + resource: daemonsets + group: apps + - kind: "k8s-dynamic" + name: "k8s/jobs" + config: + resource-type: + version: v1 + resource: jobs + group: batch + - kind: "k8s-dynamic" + name: "k8s/cronjobs" + config: + resource-type: + version: v1 + resource: cronjobs + group: batch + - kind: "k8s-dynamic" + name: "k8s/ingresses" + config: + resource-type: + group: networking.k8s.io + version: v1 + resource: ingresses + - kind: "k8s-dynamic" + name: "k8s/secrets" + config: + resource-type: + version: v1 + resource: secrets + field-selectors: + - type!=kubernetes.io/service-account-token + - type!=kubernetes.io/dockercfg + - type!=kubernetes.io/dockerconfigjson + - type!=kubernetes.io/basic-auth + - type!=kubernetes.io/ssh-auth + - type!=bootstrap.kubernetes.io/token + - type!=helm.sh/release.v1 + - kind: "k8s-dynamic" + name: "k8s/certificates" + config: + resource-type: + group: cert-manager.io + version: v1 + resource: certificates + - kind: "k8s-dynamic" + name: "k8s/certificaterequests" + config: + resource-type: + group: cert-manager.io + version: v1 + resource: certificaterequests + - kind: "k8s-dynamic" + name: "k8s/issuers" + config: + resource-type: + group: cert-manager.io + version: v1 + resource: issuers + - kind: "k8s-dynamic" + name: "k8s/clusterissuers" + config: + resource-type: + group: cert-manager.io + version: v1 + resource: clusterissuers + - kind: "k8s-dynamic" + name: "k8s/googlecasissuers" + config: + resource-type: + group: cas-issuer.jetstack.io + version: v1beta1 + resource: googlecasissuers + - kind: "k8s-dynamic" + name: "k8s/googlecasclusterissuers" + config: + resource-type: + group: cas-issuer.jetstack.io + version: v1beta1 + resource: googlecasclusterissuers + - kind: "k8s-dynamic" + name: "k8s/awspcaissuer" + config: + resource-type: + group: awspca.cert-manager.io + version: v1beta1 + resource: awspcaissuers + - kind: "k8s-dynamic" + name: "k8s/awspcaclusterissuers" + config: + resource-type: + group: awspca.cert-manager.io + version: v1beta1 + resource: awspcaclusterissuers + - kind: "k8s-dynamic" + name: "k8s/mutatingwebhookconfigurations" + config: + resource-type: + group: admissionregistration.k8s.io + version: v1 + resource: mutatingwebhookconfigurations + - kind: "k8s-dynamic" + name: "k8s/validatingwebhookconfigurations" + config: + resource-type: + group: admissionregistration.k8s.io + version: v1 + resource: validatingwebhookconfigurations + - kind: "k8s-dynamic" + name: "k8s/gateways" + config: + resource-type: + group: networking.istio.io + version: v1alpha3 + resource: gateways + - kind: "k8s-dynamic" + name: "k8s/virtualservices" + config: + resource-type: + group: networking.istio.io + version: v1alpha3 + resource: virtualservices + - kind: "k8s-dynamic" + name: "k8s/routes" + config: + resource-type: + version: v1 + group: route.openshift.io + resource: routes + - kind: "k8s-dynamic" + name: "k8s/venaficlusterissuers" + config: + resource-type: + group: jetstack.io + version: v1alpha1 + resource: venaficlusterissuers + - kind: "k8s-dynamic" + name: "k8s/venafiissuers" + config: + resource-type: + group: jetstack.io + version: v1alpha1 + resource: venafiissuers + - kind: "k8s-dynamic" + name: "k8s/fireflyissuers" + config: + resource-type: + group: firefly.venafi.com + version: v1 + resource: issuers +organization_id: example-organization-1 diff --git a/make/02_mod.mk b/make/02_mod.mk index 9a7b49ae..63c09a46 100644 --- a/make/02_mod.mk +++ b/make/02_mod.mk @@ -53,3 +53,22 @@ shared_generate_targets += generate-crds-venconn ## @category Testing test-e2e-gke: ./hack/e2e/test.sh + +_bin/artifacts/preflight: | $(NEEDS_GO) + $(GO) build -o $@ . + +examples/venafi-kubernetes-agent.yaml: $(helm_chart_archive) $(helm_chart_source_dir)/templates/configmap.yaml | $(NEEDS_HELM) $(NEEDS_YQ) + $(HELM) template --show-only templates/configmap.yaml $(helm_chart_archive) \ + | $(YQ) '.data."config.yaml" | @yamld | .cluster_id |= "example-cluster-1" | .organization_id |= "example-organization-1"' > $@ + +.PHONY: build +build: _bin/artifacts/preflight + +.PHONY: generate-example-venafi-kubernetes-agent +generate-example-venafi-kubernetes-agent: examples/venafi-kubernetes-agent.yaml + +.PHONY: generate-helm-rbac +verify-helm-rbac: _bin/artifacts/preflight examples/venafi-kubernetes-agent.yaml | $(NEEDS_HELM) + diff -u \ + <($(HELM) template deploy/charts/venafi-kubernetes-agent --show-only templates/rbac.yaml --namespace venafi --set fullnameOverride=venafi-kubernetes-agent | grep -v '# Source: ' | yq 'del(.metadata.labels)' | yq '[.]' | yq 'sort_by(.metadata.name)' -o yaml -P) \ + <(_bin/artifacts/preflight agent rbac -c examples/venafi-kubernetes-agent.yaml | yq '[.]' | yq 'sort_by(.metadata.name)' -o yaml -P) diff --git a/pkg/permissions/generate.go b/pkg/permissions/generate.go index 7e3ab08e..35352743 100644 --- a/pkg/permissions/generate.go +++ b/pkg/permissions/generate.go @@ -22,8 +22,8 @@ type AgentRBACManifests struct { RoleBindings []rbac.RoleBinding } -const agentNamespace = "jetstack-secure" -const agentSubjectName = "agent" +const agentNamespace = "venafi" +const agentSubjectName = "venafi-kubernetes-agent" func GenerateAgentRBACManifests(dataGatherers []agent.DataGatherer) AgentRBACManifests { // create a new AgentRBACManifest struct @@ -35,7 +35,7 @@ func GenerateAgentRBACManifests(dataGatherers []agent.DataGatherer) AgentRBACMan } dyConfig := dg.Config.(*k8s.ConfigDynamic) - metadataName := fmt.Sprintf("%s-agent-%s-reader", agentNamespace, dyConfig.GroupVersionResource.Resource) + metadataName := fmt.Sprintf("%s-kubernetes-agent-%s-reader", agentNamespace, dyConfig.GroupVersionResource.Resource) AgentRBACManifests.ClusterRoles = append(AgentRBACManifests.ClusterRoles, rbac.ClusterRole{ TypeMeta: metav1.TypeMeta{