search

solo-io / squash

The debugger for microservices
https://squash.solo.io
Apache License 2.0
1.74k stars 103 forks source link

Discussion: Debugging User Requires too Many Permissions #242

Open orlando-jamie opened 4 years ago

orlando-jamie commented 4 years ago

Trying to understand the bare minimum Kubernetes permissions to grant a user to allow them to debug a namespace in a cluster.

From reading the secureMode architecture, it strikes me that a user would really only need the following permissions to functionally debug as a bare minimum requirement.

# User needs to inspect and port forward to pods in the squash-debugger namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: debug-user-squash-role
  namespace: "squash-debugger"
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - "pods/portforward"
  verbs:
  - "get"
  - "list"
  - "create"

---
# User needs to inspect pods and create DebugAttachment CRDs in the namespace to be debugged
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: debug-user-role
  namespace: "<THIS IS THE NAMESPACE I WANT TO DEBUG>"
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
- apiGroups:
  - squash.solo.io
  resources:
  - debugattachments
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete

However, in the following snippet, it seems that squashctl tries to ensure that squash is installed in the cluster before creating the DebugAttachment, even in secureMode. This requires the debugging user to obtain the following permissions (list all namespaces and deployments across the cluster). https://github.com/solo-io/squash/blob/e42715ca201a662c7e09d0e9f44ea4061284c261/pkg/squashctl/app.go#L192

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: debug-user-cluster-role
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - list
- apiGroups:
  - "apps"
  resources:
  - deployments
  verbs:
  - list

These permissions strike me as unnecessary to assume of the debugging user, when viewed from the lens of granting least privilege to my Kubernetes cluster. Is there any opportunity to remove the check for squash being installed in the cluster while in secureMode?