Open mitchdraft opened 5 years ago
Also restrict squash to creating debugger pods in the squash-debugger namespace only.
I had some success deploying squash with the following. Also removes the ability to create service accounts, cluster roles, and cluster role bindings.
The next big question, I would ask, is does plank really need to be able to use all verbs over customresourcedefinitions? Is allowing plank to manage the debugattachments really not enough?
---
# Namespace - squash-debugger
apiVersion: v1
kind: Namespace
metadata:
name: squash-debugger
---
# Deployment - Squash
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
labels:
app: squash
name: squash
namespace: squash-debugger
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: squash
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: squash
spec:
containers:
- env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: HOST_ADDR
value: $(POD_NAME).$(POD_NAMESPACE)
- name: NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
image: soloio/squash:dev
imagePullPolicy: IfNotPresent
name: squash
ports:
- containerPort: 1234
name: http
protocol: TCP
resources: {}
securityContext:
privileged: true
procMount: Default
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /var/run/cri.sock
name: crisock
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: squash
serviceAccountName: squash
terminationGracePeriodSeconds: 30
volumes:
- hostPath:
path: /var/run/dockershim.sock
type: ""
name: crisock
---
# Service Account - Squash
apiVersion: v1
kind: ServiceAccount
metadata:
name: squash
namespace: squash-debugger
---
# Role Binding - Squash
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: squash-rb-pods
namespace: squash-debugger
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: squash-r-pods
subjects:
- kind: ServiceAccount
name: squash
namespace: squash-debugger
---
# Role - Squash
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: squash-debugger
name: squash-r-pods
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- create
- delete
---
# Cluster Role Binding - Squash
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: squash-crb-pods
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: squash-cr-pods
subjects:
- kind: ServiceAccount
name: squash
namespace: squash-debugger
---
# Cluster Role - Squash
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: squash-cr-pods
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- apiGroups:
- squash.solo.io
resources:
- debugattachments
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- create
- update
- delete
- register
---
# Service Account - Plank
apiVersion: v1
kind: ServiceAccount
metadata:
name: squash-plank
namespace: squash-debugger
---
# Role Binding - Plank
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: squash-plank-rb
namespace: squash-debugger
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: squash-plank-r
subjects:
- kind: ServiceAccount
name: squash-plank
namespace: squash-debugger
---
# Role - Plank
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: squash-plank-r
namespace: squash-debugger
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- create
- delete
---
# Cluster Role Binding - Plank
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: squash-plank-crb
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: squash-plank-cr
subjects:
- kind: ServiceAccount
name: squash-plank
namespace: squash-debugger
---
# Cluster Role - Plank
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: squash-plank-cr
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- apiGroups:
- squash.solo.io
resources:
- debugattachments
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- create
- update
- delete
I think you can remove the crd permissions on plank if you are in secure mode. This should be enough when using secure-mode:
# Cluster Role - Plank
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: squash-plank-cr
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- apiGroups:
- squash.solo.io
resources:
- debugattachments
verbs:
- get
- list
- watch
- update
- delete
Thank you very much again for your help @mitchdraft. Sorry to be a bother again, but I missed this one before. Could the squash cluster role also possibly drop permissions for clusterwide CRDs in secure mode as well?
# Cluster Role - Squash
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: squash-cr-pods
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- create
- update
- delete
- register
Yes, good observation, all of those crd permissions can be dropped. I think the docs need to be updated since a recent change. Now secure mode requires you to register the DebugAttachment
crd yourself, which you can do with:
squashctl utils register-resource
@mitchdraft Thanks again for the help!
can privileged status be removed? Does squash still need the ability to create serviceaccounts, clusterroles and clusterrolebindings?