Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make ClusterRole, Webhook bindings restricted to current module #31

Closed
jeff-mccoy opened this issue Apr 17, 2023 · 0 comments · Fixed by #324
Closed

Make ClusterRole, Webhook bindings restricted to current module #31

jeff-mccoy opened this issue Apr 17, 2023 · 0 comments · Fixed by #324
Assignees
@jeff-mccoy @cmwylie19
Milestone
Pepr Baseline Har...

Comments

@jeff-mccoy
Copy link
Member

Currently, Pepr doesn't limit the ClusterRole or Webhook bindings to the current module. These should be limited if possible to not over-privilege the controller service account. We also need to evaluate how the webhook bindings work.

Screenshot 2023-04-17 at 1 44 50 AM

Screenshot 2023-04-17 at 1 44 37 AM
@mike-winberry mike-winberry self-assigned this Apr 19, 2023
@jeff-mccoy jeff-mccoy added this to the Pepr Baseline Hardening milestone Apr 21, 2023
@jeff-mccoy jeff-mccoy mentioned this issue Jun 5, 2023
Merged
@jeff-mccoy jeff-mccoy self-assigned this Jun 5, 2023
jeff-mccoy added a commit that referenced this issue Jun 8, 2023
@jeff-mccoy
Generate Dynamic MutatingWebhookConfiguration Rules (#133)
4b3f406 
Related to #31
@cmwylie19 cmwylie19 moved this to 🆕 New in Pepr Project Board Oct 2, 2023
@cmwylie19 cmwylie19 removed the status in Pepr Project Board Oct 2, 2023
@cmwylie19 cmwylie19 moved this to 🆕 New in Pepr Project Board Oct 2, 2023
@cmwylie19 cmwylie19 moved this from 🆕 New to 📋 Backlog in Pepr Project Board Oct 4, 2023
@cmwylie19 cmwylie19 moved this from 📋 Backlog to 🏗 In progress in Pepr Project Board Oct 16, 2023
@cmwylie19 cmwylie19 self-assigned this Oct 16, 2023
@cmwylie19 cmwylie19 mentioned this issue Oct 17, 2023
Merged
5 tasks
@cmwylie19 cmwylie19 moved this from 🏗 In progress to 👀 In review in Pepr Project Board Oct 21, 2023
cmwylie19 added a commit that referenced this issue Oct 26, 2023
@cmwylie19
feat: least priv rbac creation (#324)
64be116 
## Description

Build time flag `--rbac-mode` determines whether whether the
`ClusterRole` for the Pepr `ServiceAccount` receives cluster-admin
permissions (default) or scoped permissions based on the capability
bindings.

Uses a reduce function to iterate over the capability's bindings and
determine the `verbs`, `plural`, and `groups` needed in order to build a
`ClusterRoleBinding`. That function is used in the `createClusterRole`
function.

Includes:
- docs
- development
- unit test
- e2e test


## Related Issue

Fixes #31 
<!-- or -->
Relates to #

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/pepr/blob/main/CONTRIBUTING.md#submitting-a-pull-request)
followed

---------

Signed-off-by: Case Wylie <[email protected]>
@github-project-automation github-project-automation bot moved this from 👀 In review to ✅ Done in Pepr Project Board Oct 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jeff-mccoy jeff-mccoy

@cmwylie19 cmwylie19

Labels
None yet
Projects
Pepr Project Board
Archived in project
Milestone
Pepr Baseline Hardening
Development

Successfully merging a pull request may close this issue.

feat: least priv rbac creation defenseunicorns/pepr
3 participants
@jeff-mccoy @cmwylie19 @mike-winberry