allow to set the rbac with granularity (#340)

* allow to set the rbac with granularity Signed-off-by: Thomas Labarussias <issif+github@gadz.org> * change verbs injection using toYaml --------- Signed-off-by: Thomas Labarussias <issif+github@gadz.org> Co-authored-by: Igor Eulalio <igor.eulalio@sysdig.com>
falcosecurity · Jun 24, 2024 · 375754f · 375754f
1 parent 6bb6183
commit 375754f
Show file tree

Hide file tree

Showing 2 changed files with 113 additions and 42 deletions.
diff --git a/deployment/helm/templates/rbac.yaml b/deployment/helm/templates/rbac.yaml
@@ -18,99 +18,150 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 rules:
+  {{- if .Values.rbac.namespaces }}
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+{{ toYaml .Values.rbac.namespaces | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.pods }}
   - apiGroups:
       - ""
     resources:
       - pods
     verbs:
-      - get
-      - update
-      - patch
-      - delete
-      - list
+{{ toYaml .Values.rbac.pods | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.nodes }}
   - apiGroups:
       - ""
     resources:
       - nodes
     verbs:
-      - get
-      - watch
-      - create
-      - update
-      - patch
+{{ toYaml .Values.rbac.nodes | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.podsExec }}
   - apiGroups:
       - ""
     resources:
       - pods/exec
     verbs:
-      - get
-      - create
+{{ toYaml .Values.rbac.podsExec | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.podsEviction }}
   - apiGroups:
       - ""
     resources:
       - pods/eviction
     verbs:
-      - get
-      - create
+{{ toYaml .Values.rbac.podsEviction | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.events }}
   - apiGroups:
       - ""
     resources:
       - events
     verbs:
-      - create
-      - get
-      - update
-      - patch
+{{ toYaml .Values.rbac.events | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.daemonsets }}
   - apiGroups:
-      - apps
+      - "apps"
     resources:
       - daemonsets
+    verbs:
+{{ toYaml .Values.rbac.daemonsets | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.deployments }}
+  - apiGroups:
+      - "apps"
+    resources:
       - deployments
+    verbs:
+{{ toYaml .Values.rbac.deployments | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.replicasets }}
+  - apiGroups:
+      - "apps"
+    resources:
       - replicasets
+    verbs:
+{{ toYaml .Values.rbac.replicasets | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.statefulsets }}
+  - apiGroups:
+      - "apps"
+    resources:
       - statefulsets
     verbs:
-      - get
-      - delete
+{{ toYaml .Values.rbac.statefulsets | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.networkpolicies }}
   - apiGroups:
-      - networking.k8s.io
-      - projectcalico.org
-      - cilium.io
+      - "networking.k8s.io"
     resources:
       - networkpolicies
+    verbs:
+{{ toYaml .Values.rbac.networkpolicies | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.caliconetworkpolicies }}
+  - apiGroups:
+      - "projectcalico.org"
+    resources:
       - caliconetworkpolicies
+    verbs:
+{{ toYaml .Values.rbac.caliconetworkpolicies | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.ciliumnetworkpolicies }}
+  - apiGroups:
+      - "cilium.io"
+    resources:
       - ciliumnetworkpolicies
     verbs:
-      - create
-      - get
-      - update
-      - patch
+{{ toYaml .Values.rbac.ciliumnetworkpolicies | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.roles }}
   - apiGroups:
-      - rbac.authorization.k8s.io
+      - "rbac.authorization.k8s.io"
     resources:
-      - clusterroles
       - roles
     verbs:
-      - get
-      - delete
+{{ toYaml .Values.rbac.roles | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.clusterroles }}
+  - apiGroups:
+      - "rbac.authorization.k8s.io"
+    resources:
+      - clusterroles
+    verbs:
+{{ toYaml .Values.rbac.clusterroles | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.configmaps }}
   - apiGroups:
       - ""
     resources:
       - configmaps
+    verbs:
+{{ toYaml .Values.rbac.configmaps | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.secrets }}
+  - apiGroups:
+      - ""
+    resources:
       - secrets
-      - namespace
     verbs:
-      - get
-      - delete
+{{ toYaml .Values.rbac.secrets | indent 6 }}
+  {{- end }}
+  {{- if .Values.rbac.leases }}
   - apiGroups:
-      - coordination.k8s.io
+      - "coordination.k8s.io"
     resources:
       - leases
     verbs:
-      - get
-      - watch
-      - create
-      - update
-      - patch
+{{ toYaml .Values.rbac.leases | indent 6 }}
+  {{- end }}
 {{- if .Values.podSecurityPolicy.create }}
 - apiGroups:
     - policy

diff --git a/deployment/helm/values.yaml b/deployment/helm/values.yaml
@@ -26,7 +26,7 @@ nameOverride: ""
 extraEnv:
   - name: LOG_LEVEL
     value: warning
-#  - name: AWS_REGION - Specify if running on EKS, ECS or EC2
+#  - name: AWS_REGION # Specify if running on EKS, ECS or EC2
 #    value: us-east-1
 
 priorityClassName: ""
@@ -74,6 +74,26 @@ tolerations: []
 
 affinity: {}
 
+rbac:
+  namespaces: ["get"]
+  pods: ["get", "update", "patch", "delete", "list"]
+  nodes: ["get", "update", "patch", "watch", "create"]
+  podsExec: ["get", "create"]
+  podsEviction: ["get", "create"]
+  events: ["get", "update", "patch", "create"]
+  daemonsets: ["get", "delete"]
+  deployments: ["get", "delete"]
+  replicasets: ["get", "delete"]
+  statefulsets: ["get", "delete"]
+  networkpolicies: ["get", "update", "patch", "create"]
+  caliconetworkpolicies: ["get", "update", "patch", "create"]
+  ciliumnetworkpolicies: ["get", "update", "patch", "create"]
+  roles: ["get", "delete"]
+  clusterroles: ["get", "delete"]
+  configmaps: ["get", "delete"]
+  secrets: ["get", "delete"]
+  leases: ["get", "update", "patch", "watch", "create"]
+
 config:
 # listenAddress: 0.0.0.0
 # listenPort: 2803