fix(adapter): Reduce k8tls adapter permissions (#249)

Signed-off-by: Anurag Rajawat <[email protected]>
5GSEC · Oct 1, 2024 · cddd9e9 · cddd9e9
1 parent e445f8e
commit cddd9e9
Show file tree

Hide file tree

Showing 12 changed files with 254 additions and 335 deletions.
diff --git a/deployments/nimbus-k8tls/templates/configmap.yaml b/deployments/nimbus-k8tls/templates/configmap.yaml
@@ -3,37 +3,140 @@ kind: ConfigMap
 metadata:
   name: fluent-bit-config
   namespace: {{ include "nimbus-k8tls.fullname" . }}-env
+  labels:
+    {{- include "nimbus-k8tls.labels" . | nindent 4 }}
 data:
   fluent-bit.conf: |
-     [SERVICE]
-        Flush        1
-        Log_Level    info
-        Parsers_File parsers.conf
+    [SERVICE]
+       Flush        1
+       Log_Level    info
+       Parsers_File parsers.conf
+
+    [INPUT]
+       Name           tail
+       Path           /tmp/compact_report.json
+       Parser         json
+       Tag            json.data
+       DB             /tmp/compact_report.db
+       Read_from_Head true
+       Exit_On_Eof    true
 
-     [INPUT]
-        Name           tail
-        Path           /tmp/compact_report.json
-        Parser         json
-        Tag            json.data
-        DB             /tmp/compact_report.db
-        Read_from_Head true
-        Exit_On_Eof    true
-    
      {{- if .Values.output.elasticsearch.enabled }}
-     [OUTPUT]
-        Name  es
-        Match *
-        Host  {{ .Values.output.elasticsearch.host }}
-        Port  {{ .Values.output.elasticsearch.port }}
-        Index {{ .Values.output.elasticsearch.index }}
-        HTTP_User  {{ .Values.output.elasticsearch.user }}
-        HTTP_Passwd ${ES_PASSWORD}
-        tls      On
-        tls.verify Off
-        Suppress_Type_Name On
-        Replace_Dots On
+    [OUTPUT]
+       Name  es
+       Match *
+       Host  {{ .Values.output.elasticsearch.host }}
+       Port  {{ .Values.output.elasticsearch.port }}
+       Index {{ .Values.output.elasticsearch.index }}
+       HTTP_User  {{ .Values.output.elasticsearch.user }}
+       HTTP_Passwd ${ES_PASSWORD}
+       tls      On
+       tls.verify Off
+       Suppress_Type_Name On
+       Replace_Dots On
       {{- end }}
 
-     [OUTPUT]
-        Name stdout
-        Match *
+    [OUTPUT]
+       Name stdout
+       Match *
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: fips-config
+  namespace: {{ include "nimbus-k8tls.fullname" . }}-env
+  labels:
+    {{- include "nimbus-k8tls.labels" . | nindent 4 }}
+data:
+  fips-140-3.json: |2-
+    {
+      "TLS_versions": [
+        {
+          "TLS_version": "TLSv1.0_1.1",
+          "cipher_suites": [
+            {
+              "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
+            }
+          ]
+        },
+        {
+          "TLS_version": "TLSv1.2",
+          "cipher_suites": [
+            {
+              "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CCM"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CCM"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"
+            },
+            {
+              "cipher_suite": "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
+            }
+          ]
+        },
+        {
+          "TLS_version": "TLSv1.3",
+          "cipher_suites": [
+            {
+              "cipher_suite": "TLS_AES_256_GCM_SHA384"
+            },
+            {
+              "cipher_suite": "TLS_AES_128_GCM_SHA256"
+            },
+            {
+              "cipher_suite": "TLS_AES_128_CCM_SHA256"
+            },
+            {
+              "cipher_suite": "TLS_AES_128_CCM_8_SHA256"
+            }
+          ]
+        }
+      ]
+    }
diff --git a/deployments/nimbus-k8tls/templates/deployment.yaml b/deployments/nimbus-k8tls/templates/deployment.yaml
@@ -21,8 +21,8 @@ spec:
             {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          env:
           {{- if .Values.output.elasticsearch.enabled }}
+          env:
           - name: TTLSECONDSAFTERFINISHED
             value: "{{ .Values.output.elasticsearch.ttlsecondsafterfinished }}"
           {{- end }}

diff --git a/deployments/nimbus-k8tls/templates/k8tls-role.yaml b/deployments/nimbus-k8tls/templates/k8tls-role.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: k8tls
+  labels:
+    {{- include "nimbus-k8tls.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
diff --git a/deployments/nimbus-k8tls/templates/namespace.yaml b/deployments/nimbus-k8tls/templates/namespace.yaml
@@ -1,4 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: {{ include "nimbus-k8tls.fullname" . }}-env
+  name: {{ include "nimbus-k8tls.fullname" . }}-env
+  labels:
+    {{- include "nimbus-k8tls.labels" . | nindent 4 }}
diff --git a/deployments/nimbus-k8tls/templates/role.yaml b/deployments/nimbus-k8tls/templates/role.yaml
@@ -2,66 +2,56 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: nimbus-k8tls-clusterrole
+  name: nimbus-k8tls
+  labels:
+    {{- include "nimbus-k8tls.labels" . | nindent 4 }}
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - namespaces
-  - serviceaccounts
-  verbs:
-  - create
-  - delete
-  - get
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - batch
-  resources:
-  - cronjobs
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - update
-  - watch
-- apiGroups:
-  - intent.security.nimbus.com
-  resources:
-  - clusternimbuspolicies
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - intent.security.nimbus.com
-  resources:
-  - clusternimbuspolicies/status
-  verbs:
-  - get
-  - patch
-  - update
-- apiGroups:
-  - rbac.authorization.k8s.io
-  resources:
-  - clusterrolebindings
-  - clusterroles
-  verbs:
-  - create
-  - delete
-  - get
-  - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+      - serviceaccounts
+    verbs:
+      - get
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - update
+      - watch
+  - apiGroups:
+      - intent.security.nimbus.com
+    resources:
+      - clusternimbuspolicies
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - intent.security.nimbus.com
+    resources:
+      - clusternimbuspolicies/status
+    verbs:
+      - get
+      - patch
+      - update
 {{- if .Values.output.elasticsearch.enabled }}
-- apiGroups: [""]
-  resources: ["secrets"]
-  resourceNames: ["elasticsearch-password"]
-  verbs: ["get"]
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    resourceNames: [ "elasticsearch-password" ]
+    verbs: [ "get" ]
 {{- end }}
diff --git a/deployments/nimbus-k8tls/templates/rolebinding.yaml b/deployments/nimbus-k8tls/templates/rolebinding.yaml
@@ -1,12 +1,29 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "nimbus-k8tls.fullname" . }}-clusterrole-binding
+  name: {{ include "nimbus-k8tls.fullname" . }}
+  labels:
+    {{- include "nimbus-k8tls.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: nimbus-k8tls-clusterrole
+  name: {{ include "nimbus-k8tls.fullname" . }}
 subjects:
   - kind: ServiceAccount
     name: {{ include "nimbus-k8tls.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: k8tls
+  labels:
+    {{- include "nimbus-k8tls.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: k8tls
+subjects:
+  - kind: ServiceAccount
+    name: k8tls
+    namespace: {{ include "nimbus-k8tls.fullname" . }}-env
diff --git a/deployments/nimbus-k8tls/templates/secret.yaml b/deployments/nimbus-k8tls/templates/secret.yaml
@@ -4,6 +4,8 @@ kind: Secret
 metadata:
   name: elasticsearch-password
   namespace: {{ include "nimbus-k8tls.fullname" . }}-env
+  labels:
+    {{- include "nimbus-k8tls.labels" . | nindent 4 }}
 type: Opaque
 data:
   es_password: {{ .Values.output.elasticsearch.password }} 

diff --git a/deployments/nimbus-k8tls/templates/serviceaccount.yaml b/deployments/nimbus-k8tls/templates/serviceaccount.yaml
@@ -8,3 +8,11 @@ metadata:
     {{- include "nimbus-k8tls.labels" . | nindent 4 }}
 automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
 {{- end }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8tls
+  namespace: {{ include "nimbus-k8tls.fullname" . }}-env
+  labels:
+    {{- include "nimbus-k8tls.labels" . | nindent 4 }}
diff --git a/pkg/adapter/common/common.go b/pkg/adapter/common/common.go
@@ -12,5 +12,5 @@ type ContextKey string
 
 const (
 	K8sClientKey     ContextKey = "k8sClient"
-	NamespaceNameKey ContextKey = "NamespaceName"
+	NamespaceNameKey ContextKey = "K8tlsNamespace"
 )