Trying to understand the bare minimum Kubernetes permissions to grant a user to allow them to debug a namespace in a cluster.
From reading the secureMode architecture, it strikes me that a user would really only need the following permissions to functionally debug as a bare minimum requirement.
# User needs to inspect and port forward to pods in the squash-debugger namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: debug-user-squash-role
namespace: "squash-debugger"
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups:
- ""
resources:
- "pods/portforward"
verbs:
- "get"
- "list"
- "create"
---
# User needs to inspect pods and create DebugAttachment CRDs in the namespace to be debugged
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: debug-user-role
namespace: "<THIS IS THE NAMESPACE I WANT TO DEBUG>"
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups:
- squash.solo.io
resources:
- debugattachments
verbs:
- get
- list
- watch
- create
- update
- delete
These permissions strike me as unnecessary to assume of the debugging user, when viewed from the lens of granting least privilege to my Kubernetes cluster. Is there any opportunity to remove the check for squash being installed in the cluster while in secureMode?
Trying to understand the bare minimum Kubernetes permissions to grant a user to allow them to debug a namespace in a cluster.
From reading the secureMode architecture, it strikes me that a user would really only need the following permissions to functionally debug as a bare minimum requirement.
However, in the following snippet, it seems that squashctl tries to ensure that squash is installed in the cluster before creating the DebugAttachment, even in secureMode. This requires the debugging user to obtain the following permissions (list all namespaces and deployments across the cluster). https://github.com/solo-io/squash/blob/e42715ca201a662c7e09d0e9f44ea4061284c261/pkg/squashctl/app.go#L192
These permissions strike me as unnecessary to assume of the debugging user, when viewed from the lens of granting least privilege to my Kubernetes cluster. Is there any opportunity to remove the check for squash being installed in the cluster while in secureMode?