From 4f8b85c28c5a2a18a4425066e8deb6b536011973 Mon Sep 17 00:00:00 2001 From: jbeemster Date: Fri, 4 Aug 2023 13:58:15 +1000 Subject: [PATCH 1/2] charts/rbac-namespace-role: Create chart (closes #99) --- charts/rbac-namespace-role/Chart.yaml | 15 ++++ charts/rbac-namespace-role/README.md | 78 +++++++++++++++++++ .../rbac-namespace-role/templates/NOTES.txt | 3 + .../rbac-namespace-role/templates/role.yaml | 18 +++++ .../templates/rolebinding.yaml | 13 ++++ charts/rbac-namespace-role/values.yaml | 18 +++++ 6 files changed, 145 insertions(+) create mode 100644 charts/rbac-namespace-role/Chart.yaml create mode 100644 charts/rbac-namespace-role/README.md create mode 100644 charts/rbac-namespace-role/templates/NOTES.txt create mode 100644 charts/rbac-namespace-role/templates/role.yaml create mode 100644 charts/rbac-namespace-role/templates/rolebinding.yaml create mode 100644 charts/rbac-namespace-role/values.yaml diff --git a/charts/rbac-namespace-role/Chart.yaml b/charts/rbac-namespace-role/Chart.yaml new file mode 100644 index 00000000..3ec8fbe5 --- /dev/null +++ b/charts/rbac-namespace-role/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v2 +name: rbac-namespace-role +description: A helm chart to setup a role which can manage a single namespace +version: 0.1.0 +icon: https://raw.githubusercontent.com/snowplow-devops/helm-charts/master/docs/logo/snowplow.png +home: https://github.com/snowplow-devops/helm-charts +sources: + - https://github.com/snowplow-devops/helm-charts +maintainers: + - name: jbeemster + url: https://github.com/jbeemster + email: jbeemster@users.noreply.github.com +keywords: + - rbac + - roles diff --git a/charts/rbac-namespace-role/README.md b/charts/rbac-namespace-role/README.md new file mode 100644 index 00000000..cf766bef --- /dev/null +++ b/charts/rbac-namespace-role/README.md @@ -0,0 +1,78 @@ +# rbac-namespace-role + +A helm chart to setup a role which can access a single namespace. + +## TL;DR + +```bash +kubectl create namespace isolated +helm repo add snowplow-devops https://snowplow-devops.github.io/helm-charts +helm install rbac-namespace-role snowplow-devops/rbac-namespace-role --namespace isolated +``` + +## Introduction + +This chart is designed to leverage the inherent isolation layer between `namespace` structures to create a role that can only interact with a single specific space. This allows you to, somewhat, safely multi-tenant a Kubernetes cluster. + +*Note*: By default the role created has full permissions on all apis, resources and verbs (it is assumed to be an admin role for this namespace). + +### Tutorial: Binding a `Role` in an EKS Cluster + +*Pre-requisite*: For this step you will need to ensure you have `eksctl` [installed](https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html). + +To bind the created role you will need to already have a cluster that you can access from your CLI - you can validate this by running: + +```bash +eksctl get iamidentitymapping --cluster "" --region "" + +# Should return something like ... +ARN USERNAME GROUPS ACCOUNT +arn:aws:iam::000000000000:role/some-role-name system:node:{{EC2PrivateDNSName}} system:bootstrappers,system:nodes +``` + +Parameters: + +* `group`: If you deployed the default values the `group` parameter is `isolated-group` +* `username`: This can be anything you like! +* `arn`: This can be either a `user` or `role` ARN + +```bash +eksctl create iamidentitymapping --cluster "" --region "" \ + --arn "" --username "" --group "isolated-group" \ + --no-duplicate-arns + +# IAM Identity Mapping now includes something like ... +arn:aws:iam::000000000000:role/some-other-role-name admin isolated-group +``` + +Connecting to the EKS Cluster with the defined role assumed or with a user should now allow access to the specified namespace. + +The [long-form guide](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html) contains a lot of extra details if the commands here do not work. + +## Installing the Chart + +Install or upgrading the chart with default configuration: + +```bash +helm upgrade --install rbac-namespace-role snowplow-devops/rbac-namespace-role --namespace isolated +``` + +## Uninstalling the Chart + +To uninstall/delete the `rbac-namespace-role` release: + +```bash +helm uninstall rbac-namespace-role --namespace isolated +kubectl delete namespace isolated +``` + +## Configuration + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| role.name | string | `"isolated-admin-role"` | The name to assign to the role | +| role.apiGroups | list | `["*"]` | APIGroups is the name of the APIGroup that contains the resources | +| role.resources | list | `["*"]` | Resources is a list of resources this rule applies to | +| role.verbs | list | `["*"]` | Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule | +| roleBinding.name | string | `"isolated-admin-rolebinding"` | The name to assign to the role-binding | +| roleBinding.groupName | string | `"isolated-group"` | The name of the group which the role-binding is assigned to | diff --git a/charts/rbac-namespace-role/templates/NOTES.txt b/charts/rbac-namespace-role/templates/NOTES.txt new file mode 100644 index 00000000..7a20a3d8 --- /dev/null +++ b/charts/rbac-namespace-role/templates/NOTES.txt @@ -0,0 +1,3 @@ +Role {{ .Values.role.name }} has been created and has access to the namespace {{ .Release.Namespace }}. + +A Group has been bound to this role called {{ .Values.roleBinding.groupName }} - to leverage this role you should bind users to to this group diff --git a/charts/rbac-namespace-role/templates/role.yaml b/charts/rbac-namespace-role/templates/role.yaml new file mode 100644 index 00000000..4798ab8d --- /dev/null +++ b/charts/rbac-namespace-role/templates/role.yaml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Values.role.name }} + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + {{- range $v := .Values.role.apiGroups }} + - {{ $v | quote }} + {{- end }} + resources: + {{- range $v := .Values.role.resources }} + - {{ $v | quote }} + {{- end }} + verbs: + {{- range $v := .Values.role.verbs }} + - {{ $v | quote }} + {{- end }} diff --git a/charts/rbac-namespace-role/templates/rolebinding.yaml b/charts/rbac-namespace-role/templates/rolebinding.yaml new file mode 100644 index 00000000..5c8cdc56 --- /dev/null +++ b/charts/rbac-namespace-role/templates/rolebinding.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Values.roleBinding.name }} + namespace: {{ .Release.Namespace }} +subjects: +- kind: Group + name: {{ .Values.roleBinding.groupName }} + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: {{ .Values.role.name }} + apiGroup: rbac.authorization.k8s.io diff --git a/charts/rbac-namespace-role/values.yaml b/charts/rbac-namespace-role/values.yaml new file mode 100644 index 00000000..216a32f7 --- /dev/null +++ b/charts/rbac-namespace-role/values.yaml @@ -0,0 +1,18 @@ +role: + # -- The name to assign to the role + name: "isolated-admin-role" + # -- APIGroups is the name of the APIGroup that contains the resources + apiGroups: + - "*" + # -- Resources is a list of resources this rule applies to + resources: + - "*" + # -- Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule + verbs: + - "*" + +roleBinding: + # -- The name to assign to the role-binding + name: "isolated-admin-rolebinding" + # -- The name of the group which the role-binding is assigned to + groupName: "isolated-group" From 377d2d82bcce06700d30133e7c280a907d5af8bb Mon Sep 17 00:00:00 2001 From: jbeemster Date: Fri, 4 Aug 2023 13:59:04 +1000 Subject: [PATCH 2/2] Prepared for release --- CHANGELOG | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index bbc8a476..a2b39ace 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,7 @@ +Version 0.1.36 (2023-08-04) +--------------------------- +charts/rbac-namespace-role: Create chart (#99) + Version 0.1.35 (2023-06-23) --------------------------- charts/aws-otel-collector: bump version to 0.1.4