k8s: update tracer permissions to read-only

acrlabs · Oct 25, 2024 · eb19e83 · eb19e83
1 parent e5731a5
commit eb19e83
Show file tree

Hide file tree

Showing 7 changed files with 42 additions and 3 deletions.
diff --git a/build b/build
diff --git a/k8s/kustomize/prod/kustomization.yml b/k8s/kustomize/prod/kustomization.yml
@@ -3,4 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../base
+  - sk-tracer-rbac.yml
   - sk-tracer.yml
diff --git a/k8s/kustomize/prod/sk-tracer-rbac.yml b/k8s/kustomize/prod/sk-tracer-rbac.yml
@@ -0,0 +1,18 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: aggregate-simkube-view
+  labels:
+    # Add these permissions to the "view" default role.
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+  - apiGroups: ["simkube.io"]
+    resources: ["simulations", "simulationroots"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["monitoring.coreos.com"]
+    resources: ["prometheuses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
diff --git a/k8s/kustomize/prod/sk-tracer.yml b/k8s/kustomize/prod/sk-tracer.yml
@@ -23,7 +23,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: view
 subjects:
   - kind: ServiceAccount
     name: sk-tracer-sa

diff --git a/k8s/main.py b/k8s/main.py
@@ -22,6 +22,7 @@
 kind: Kustomization
 resources:
   - ../base
+  - sk-tracer-rbac.yml
   - sk-tracer.yml
 """
 KUSTOMIZATION_YML_SIM = """---
@@ -80,6 +81,7 @@ def write_kustomize_files(build_dir: str):
 
     os.rename(f"{build_dir}/0000-global.k8s.yaml", f"{build_dir}/base/sk-namespace.yml")
     os.rename(f"{build_dir}/0001-sk-tracer.k8s.yaml", f"{build_dir}/prod/sk-tracer.yml")
+    os.rename(f"{build_dir}/sk-tracer-rbac.yml", f"{build_dir}/prod/sk-tracer-rbac.yml")
     os.rename(f"{build_dir}/0002-sk-ctrl.k8s.yaml", f"{build_dir}/sim/sk-ctrl.yml")
     os.rename(f"{build_dir}/simkube.io_simulations.yml", f"{build_dir}/sim/simkube.io_simulations.yml")
 

diff --git a/k8s/raw/sk-tracer-rbac.yml b/k8s/raw/sk-tracer-rbac.yml
@@ -0,0 +1,18 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: aggregate-simkube-view
+  labels:
+    # Add these permissions to the "view" default role.
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+  - apiGroups: ["simkube.io"]
+    resources: ["simulations", "simulationroots"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["monitoring.coreos.com"]
+    resources: ["prometheuses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch"]
diff --git a/k8s/sk_tracer.py b/k8s/sk_tracer.py
@@ -42,7 +42,7 @@ def __init__(self, image: str, debug: bool):
 
         self._depl = (
             fire.DeploymentBuilder(app_label=self.id())
-            .with_service_account_and_role_binding("cluster-admin", True)
+            .with_service_account_and_role_binding("view", True)
             .with_containers(container)
             .with_service()
             .with_node_selector("type", "kind-worker")