Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discussion: Debugging User Requires too Many Permissions #242

Open
orlando-jamie opened this issue Oct 9, 2019 · 0 comments
Open

Discussion: Debugging User Requires too Many Permissions #242

orlando-jamie opened this issue Oct 9, 2019 · 0 comments

Comments

@orlando-jamie
Copy link

orlando-jamie commented Oct 9, 2019
edited
Loading

Trying to understand the bare minimum Kubernetes permissions to grant a user to allow them to debug a namespace in a cluster.

From reading the secureMode architecture, it strikes me that a user would really only need the following permissions to functionally debug as a bare minimum requirement.

# User needs to inspect and port forward to pods in the squash-debugger namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: debug-user-squash-role
  namespace: "squash-debugger"
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
- apiGroups:
  - ""
  resources:
  - "pods/portforward"
  verbs:
  - "get"
  - "list"
  - "create"

---
# User needs to inspect pods and create DebugAttachment CRDs in the namespace to be debugged
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: debug-user-role
  namespace: "<THIS IS THE NAMESPACE I WANT TO DEBUG>"
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
- apiGroups:
  - squash.solo.io
  resources:
  - debugattachments
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete

However, in the following snippet, it seems that squashctl tries to ensure that squash is installed in the cluster before creating the DebugAttachment, even in secureMode. This requires the debugging user to obtain the following permissions (list all namespaces and deployments across the cluster).

squash/pkg/squashctl/app.go

Line 192 in e42715c

if err := o.ensureSquashIsInCluster(); err != nil { 

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: debug-user-cluster-role
rules:
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - list
- apiGroups:
  - "apps"
  resources:
  - deployments
  verbs:
  - list

These permissions strike me as unnecessary to assume of the debugging user, when viewed from the lens of granting least privilege to my Kubernetes cluster. Is there any opportunity to remove the check for squash being installed in the cluster while in secureMode?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@orlando-jamie