Be able to run flux service accounts with least privilege
samueltorres opened this issue · 0 comments
Is your feature request related to a problem ?
I want to run Flux with MultiTenancy Lockdown enabled. Still that is not enough for the security posture I'm looking for. Mainly because kustomize-controller and helm-controller service accounts have cluster-admin ClusterRoleBinding.
I would like to run Flux with as least privilege as possible, thus I don't want the flux service accounts to become cluster admins.
Describe the solution you'd like.
This would be fixable by adding a flag to the cluster-admin ClusterRoleBinding, the problem is that doing that, Flux wouldn't be able to do service account impersonation due to lack of permissions.
I figured out a way to do it by just adding cluster-reconciler-impersonator ClusterRole to the kustomize-controller and helm-controller.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-reconciler-impersonator
rules:
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["impersonate"]I would add a privileged flag to the multi-tenancy section on flux chart, like:
# -- Both kustomize-controller and helm-controller service accounts run privileged
# with cluster-admin ClusterRoleBinding. Disable if you want to run them with a
# minimum set of permissions.
privileged: trueAnd then give kustomize-controller / helm-controller service accounts the cluster-admin ClusterRoleBinding if Flux runs in privileged mode or give the cluster-reconciler-impersonator ClusterRoleBinding if it runs unprivileged.
I've tested this myself and it works nicely.
Describe alternatives you've considered.
Doing Helm Post Render to remove cluster-admin ClusterRoleBinding and making use of extraObjects to render out the impersonator ClusterRole and ClusterRoleBinding.
Additional context.
No response