Skip to content

Latest commit

 

History

History
209 lines (189 loc) · 4.75 KB

rbac.md

File metadata and controls

209 lines (189 loc) · 4.75 KB

Role-based access control (RBAC) for the Mondoo Operator involves two parts, RBAC rules for the Operator itself and RBAC rules for the Mondoo Pods themselves created by the Operator as Mondoo requires access to the Kubernetes API for resource discovery.

Mondoo Operator RBAC

In order for the Mondoo Operator to work in an RBAC based authorization environment, a ClusterRole with access to all the resources the Operator requires for the Kubernetes API needs to be created.

Here is a ready to use manifest of a ClusterRole that can be used to start the Mondoo Operator:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: manager-role
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - validatingwebhookconfigurations
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - apps
  resources:
  - daemonsets
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - apps
  resources:
  - deployments
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - cert-manager.io
  resources:
  - certificates
  - issuers
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - k8s.mondoo.com
  resources:
  - mondooauditconfigs
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - k8s.mondoo.com
  resources:
  - mondooauditconfigs/finalizers
  verbs:
  - update
- apiGroups:
  - k8s.mondoo.com
  resources:
  - mondooauditconfigs/status
  verbs:
  - get
  - patch
  - update

RBAC rules for Mondoo Workload Scanning

To scan the Kubernetes resources, the mondoo-client needs access to the Kubernetes API. Therefore a separate ClusterRole for accessing the data needs to exist.

As Mondoo does not modify any Objects in the Kubernetes API, but just reads them it simply requires the get, list, and watch actions.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: workload
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - watch
  - list
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: workload
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: workload
subjects:
- kind: ServiceAccount
  name: workload
  namespace: system
apiVersion: v1
kind: ServiceAccount
metadata:
  name: workload
  namespace: system

When MondooAuditConfig is created in the same namespace as the operator a service account named mondoo-operator-k8s-resources-scanning is added by default. If MondooAuditConfig is created in any other namespace create a ServiceAccount in that other namespace and add the ServiceAccount to the ClusterRoleBinding named mondoo-operator-k8s-resources-scanning that was created during installation of the mondoo-operator. The ServiceAccount needs to be specified in the MondooAuditConfig object at .spec.workload.serviceAccount.

Additionally, when defining a MondooAuditConfig in a different namespace, a ServiceAccount with no permissions is needed for the node scanning. Create a ServiceAccount named mondoo-operator-nodes that will be used by the DaemonSet for node scanning.

Note: A cluster admin is required to create this ClusterRole and create a ClusterRoleBinding or RoleBinding to the ServiceAccount used by the mondoo-client Pods. The ServiceAccount used by the workload Pods can be specified in the MondooAuditConfig object.

apiVersion: k8s.mondoo.com/v1alpha2
kind: MondooAuditConfig
metadata:
  name: mondoo-client
  namespace: mondoo-operator
spec:
  scanner:
    serviceAccountName: workload
  kubernetesResources:
    enable: true
  nodes:
    enable: true
  admission:
    enable: false
  mondooCredsSecretRef: mondoo-client

RBAC rules for Mondoo Node Scanning

To scan the Kubernetes nodes, Mondoo does not does not require access to the Kubernetes API server, thus a default service account with no permissions should suffice.

The ServiceAccount used by the node-scanner Pods can be specified in the MondooAuditConfig object.

See Using Authorization Plugins for further usage information on RBAC components.