chore(rbac): Restructure RBACs to resolve secrets/cm poisoning (separate roles restriction)

chaoscenter/graphql/server/manifests/cluster/1b_argo_rbac.yaml

@@ -6,48 +6,27 @@ metadata:
   namespace: #{INFRA_NAMESPACE}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: ClusterRoleBinding
 metadata:
-  name: chaos-cluster-role
-rules:
-  # for managing the pods created by workflow controller to implement individual steps in the workflow
-  - apiGroups: ['']
-    resources: ['pods', 'services']
-    verbs: ['create', 'get', 'watch', 'patch', 'delete', 'list']
-  - apiGroups: ['']
-    resources: ['namespaces']
-    verbs: ['get', 'watch', 'patch', 'list']
-
-  # for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow
-  - apiGroups: ['']
-    resources: ['pods/log', 'pods/exec']
-    verbs: ['get', 'watch', 'create', 'delete', 'patch']
-  - apiGroups: ['']
-    resources: ['secrets', 'configmaps']
-    verbs: ['get', 'watch', 'create', 'patch']
-
-  # for creation & deletion of application in predefined workflows
-  - apiGroups: ['apps']
-    resources: ['deployments']
-    verbs: ['delete']
-  - apiGroups: ['apps']
-    resources: ['deployments', 'statefulsets']
-    verbs: ['get', 'watch', 'patch' , 'create']
-
-  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
-  - apiGroups: ["litmuschaos.io"]
-    resources:
-      ["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"]
-    verbs: ["create", "list", "get", "patch", "delete", "watch"]
+  name: argo-chaos-infra-cluster-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: infra-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: argo-chaos
+    namespace: #{INFRA_NAMESPACE}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
-  name: chaos-cluster-role-binding
+  name: argo-chaos-ops-role-binding
+  namespace: #{INFRA_NAMESPACE}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: chaos-cluster-role
+  kind: Role
+  name: infra-ops-role
 subjects:
   - kind: ServiceAccount
     name: argo-chaos

chaoscenter/graphql/server/manifests/cluster/1c_argo_deployment.yaml

@@ -46,6 +46,7 @@ spec:
             - workflow-controller-configmap
             - --executor-image
             -  #{ARGO_WORKFLOW_EXECUTOR}
+            - --namespaced
             - --container-runtime-executor
             -  #{ARGO_CONTAINER_RUNTIME_EXECUTOR}
           command:

chaoscenter/graphql/server/manifests/cluster/2b_litmus_admin_rbac.yaml

@@ -11,9 +11,9 @@ metadata:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: litmus-admin
+  name: litmus-admin-cluster-role
   labels:
-    name: litmus-admin
+    name: litmus-admin-cluster-role
 rules:
   # ***************************************************************************************
   # Permissions needed for preparing and monitor the chaos resources by chaos-runner
@@ -30,11 +30,6 @@ rules:
     resources: ["events"]
     verbs: ["create","get","list","patch","update"]
 
-    # for fetching configmaps and secrets to inject into chaos-runner pod (if specified)
-  - apiGroups: [""]
-    resources: ["secrets", "configmaps"]
-    verbs: ["get", "list"]
-
     # for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner
   - apiGroups: [""]
     resources: ["pods/log"]
@@ -110,13 +105,29 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: litmus-admin
+  name: litmus-admin-cluster-role-binding
   labels:
-    name: litmus-admin
+    name: litmus-admin-cluster-role-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: litmus-admin
+  name: litmus-admin-cluster-role
+subjects:
+  - kind: ServiceAccount
+    name: litmus-admin
+    namespace: #{INFRA_NAMESPACE}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: litmus-admin-ops-role-binding
+  namespace: #{INFRA_NAMESPACE}
+  labels:
+    name: litmus-admin-ops-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: infra-ops-role
 subjects:
   - kind: ServiceAccount
     name: litmus-admin

chaoscenter/graphql/server/manifests/cluster/3a_agents_rbac.yaml

@@ -8,11 +8,6 @@ rules:
   # Permissions needed for orchestration and monitoring chaos by chaos-operator and chaos-exporter
   # ***********************************************************************************************
 
-  # for mounting the secrets to the chaos-runner pod
-  - apiGroups: [ "" ]
-    resources: [ "secrets" ]
-    verbs: [ "get", "list" ]
-
   # for deriving the owner references of the operator pod
   - apiGroups: [ "apps" ]
     resources: [ "deployments", "replicasets"]
@@ -28,9 +23,9 @@ rules:
     resources: [ "pods" ]
     verbs: ["get", "create", "update", "patch", "delete", "list", "watch", "deletecollection" ]
 
-  # for creating of events, monitoring and leader election
+  # for creating of events and monitoring
   - apiGroups: [ "" ]
-    resources: [ "configmaps", "events", "services" ]
+    resources: [ "events", "services" ]
     verbs: ["get", "create", "update", "patch", "list", "watch" ]
 
   # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
@@ -57,10 +52,6 @@ rules:
   # Permissions needed to manage and communicate between control plane and execution plane by subscriber
   # *******************************************************************************************************
 
-  - apiGroups: [ "" ]
-    resources: [ "configmaps", "secrets" ]
-    verbs: [ "get", "create", "delete", "update", "patch" ]
-
   - apiGroups: [ "batch" ]
     resources: [ "jobs" ]
     verbs: [ "get", "create", "patch", "update" ]
@@ -74,7 +65,7 @@ rules:
     verbs: [ "get", "list", "watch" ]
 
   - apiGroups: [ "litmuschaos.io" ]
-    resources: [ "chaosengines", "chaosschedules", "chaosresults" ]
+    resources: [ "chaosengines", "chaosschedules", "chaosresults", "chaosschedules" ]
     verbs: [ "get", "list", "create", "delete", "update", "watch", "patch" ]
 
   - apiGroups: [ "apps.openshift.io" ]
@@ -111,9 +102,6 @@ rules:
   - apiGroups: [ "" ]
     resources: [ "pods", "pods/exec" ]
     verbs: [ "create", "get", "list", "watch", "update", "patch", "delete" ]
-  - apiGroups: [ "" ]
-    resources: [ "configmaps" ]
-    verbs: [ "get", "watch", "list" ]
   - apiGroups: [ "" ]
     resources: [ "persistentvolumeclaims" ]
     verbs: [ "create", "delete" ]
@@ -163,3 +151,31 @@ subjects:
   - kind: ServiceAccount
     name: #{INFRA_SERVICE_ACCOUNT}
     namespace: #{INFRA_NAMESPACE}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: infra-ops-role
+  namespace: #{INFRA_NAMESPACE}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get", "create", "update", "patch" ]
+
+  - apiGroups: [ "" ]
+    resources: [ "configmaps"]
+    verbs: ["get", "create", "update", "patch", "list", "watch" ]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: infra-ops-role-binding
+  namespace: #{INFRA_NAMESPACE}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: infra-ops-role
+subjects:
+  - kind: ServiceAccount
+    name: #{INFRA_SERVICE_ACCOUNT}
+    namespace: #{INFRA_NAMESPACE}

chaoscenter/graphql/server/manifests/namespace/1a_argo_rbac.yaml

@@ -6,46 +6,28 @@ metadata:
   namespace: #{INFRA_NAMESPACE}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: RoleBinding
 metadata:
-  name: chaos-role
+  name: argo-chaos-infra-role-binding
   namespace: #{INFRA_NAMESPACE}
-rules:
-  # for managing the pods created by workflow controller to implement individual steps in the workflow
-  - apiGroups: [""]
-    resources: ["pods", "services"]
-    verbs: ["create", "get", "watch", "patch", "delete", "list"]
-
-  # for tracking & getting logs of the pods created by workflow controller to implement individual steps in the workflow
-  - apiGroups: ['']
-    resources: ['pods/log', 'pods/exec']
-    verbs: ['get', 'watch', 'create', 'delete', 'patch']
-  - apiGroups: ['']
-    resources: ['secrets', 'configmaps']
-    verbs: ['get', 'watch', 'create', 'patch']
-
-  # for creation & deletion of application in predefined workflows
-  - apiGroups: ['apps']
-    resources: ['deployments']
-    verbs: ['delete']
-  - apiGroups: ['apps']
-    resources: ['deployments', 'statefulsets']
-    verbs: ['get', 'watch', 'patch' , 'create']
-
-  # for creation, status polling and deletion of litmus chaos resources used within a chaos workflow
-  - apiGroups: ["litmuschaos.io"]
-    resources: ["chaosengines", "chaosexperiments", "chaosresults", "chaosschedules"]
-    verbs: ["create", "list", "get", "patch", "delete", "watch"]
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: infra-role
+subjects:
+  - kind: ServiceAccount
+    name: argo-chaos
+    namespace: #{INFRA_NAMESPACE}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: chaos-role-binding
+  name: argo-chaos-ops-role-binding
   namespace: #{INFRA_NAMESPACE}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: chaos-role
+  name: infra-ops-role
 subjects:
   - kind: ServiceAccount
     name: argo-chaos

chaoscenter/graphql/server/manifests/namespace/2a_litmus_admin_rbac.yaml

@@ -10,10 +10,10 @@ metadata:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: litmus-admin
+  name: litmus-admin-role
   namespace: #{INFRA_NAMESPACE}
   labels:
-    name: litmus-admin
+    name: litmus-admin-role
 rules:
   # ***************************************************************************************
   # Permissions needed for preparing and monitor the chaos resources by chaos-runner
@@ -30,11 +30,6 @@ rules:
     resources: ["events"]
     verbs: ["create", "get", "list", "patch", "update"]
 
-    # for fetching configmaps and secrets to inject into chaos-runner pod (if specified)
-  - apiGroups: [""]
-    resources: ["secrets", "configmaps"]
-    verbs: ["get", "list"]
-
     # for tracking & getting logs of the pods created by chaos-runner to implement individual steps in the runner
   - apiGroups: [""]
     resources: ["pods/log"]
@@ -105,14 +100,30 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: litmus-admin
+  name: litmus-admin-role-binding
   namespace: #{INFRA_NAMESPACE}
   labels:
+    name: litmus-admin-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: litmus-admin-role
+subjects:
+  - kind: ServiceAccount
     name: litmus-admin
+    namespace: #{INFRA_NAMESPACE}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: litmus-admin-ops-role-binding
+  namespace: #{INFRA_NAMESPACE}
+  labels:
+    name: litmus-admin-ops-role-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: litmus-admin
+  name: infra-ops-role
 subjects:
   - kind: ServiceAccount
     name: litmus-admin