From 578ab7f96617d3b2c3c1bda5f4b6e9e1e64708da Mon Sep 17 00:00:00 2001 From: Ori Shoshan Date: Thu, 29 Feb 2024 11:42:40 +0200 Subject: [PATCH 1/6] Use cert-manager CSI spiffe driver for RolesAnywhere integration --- .../credentials-operator-deployment.yaml | 24 +++++++++++++++++-- ...erator-mutating-webhook-configuration.yaml | 3 +++ .../templates/rbac-certmgr.yaml | 24 +++++++++++++++++++ .../intents-operator-deployment.yaml | 24 +++++++++++++++++-- intents-operator/templates/rbac-certmgr.yaml | 23 ++++++++++++++++++ 5 files changed, 94 insertions(+), 4 deletions(-) create mode 100644 credentials-operator/templates/rbac-certmgr.yaml create mode 100644 intents-operator/templates/rbac-certmgr.yaml diff --git a/credentials-operator/templates/credentials-operator-deployment.yaml b/credentials-operator/templates/credentials-operator-deployment.yaml index a032893e..7b9a23c9 100644 --- a/credentials-operator/templates/credentials-operator-deployment.yaml +++ b/credentials-operator/templates/credentials-operator-deployment.yaml @@ -174,6 +174,16 @@ spec: - name: OTTERIZE_TELEMETRY_ERRORS_API_KEY value: {{ .Values.global.telemetry.errors.credentialsOperatorApiKey | quote }} {{- end }} + {{- if .Values.global.aws.rolesAnywhere.enabled }} + - name: OTTERIZE_TRUST_DOMAIN + value: {{ .Values.global.aws.rolesAnywhere.trustDomain | quote }} + - name: OTTERIZE_TRUST_ANCHOR + value: {{ .Values.global.aws.rolesAnywhere.trustDomain | quote }} + - name: AWS_SHARED_CREDENTIALS_FILE + value: "/aws-config/credentials" + - name: AWS_REGION + value: {{ .Values.global.aws.region | quote }} + {{- end }} livenessProbe: httpGet: path: /healthz @@ -197,6 +207,9 @@ spec: volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: webhook-cert + - mountPath: /aws-config + name: spiffe + readOnly: true {{- if eq "false" (.Values.global.otterizeCloud.useCloudToGenerateTLSCredentials | toString) }} - mountPath: {{ .Values.spire.socketsPath }} name: spire-agent-socket @@ -207,8 +220,6 @@ spec: name: api-extra-ca-pem readOnly: true {{- end }} - securityContext: - runAsNonRoot: true terminationGracePeriodSeconds: 10 volumes: {{- if eq "false" (.Values.global.otterizeCloud.useCloudToGenerateTLSCredentials | toString) }} @@ -217,6 +228,15 @@ spec: type: Directory name: spire-agent-socket {{- end }} + - name: spiffe + csi: + driver: spiffe.csi.cert-manager.io + readOnly: true + volumeAttributes: + aws.spiffe.csi.cert-manager.io/trust-profile: {{ .Values.global.aws.rolesAnywhere.credentialsOperatorTrustProfileARN | quote }} + aws.spiffe.csi.cert-manager.io/trust-anchor: {{ .Values.global.aws.rolesAnywhere.trustAnchorARN | quote }} + aws.spiffe.csi.cert-manager.io/role: {{ .Values.aws.roleARN | quote }} + aws.spiffe.csi.cert-manager.io/enable: "true" {{ if .Values.global.otterizeCloud.apiExtraCAPEMSecret }} - name: api-extra-ca-pem secret: diff --git a/credentials-operator/templates/credentials-operator-mutating-webhook-configuration.yaml b/credentials-operator/templates/credentials-operator-mutating-webhook-configuration.yaml index 8826075c..d4ebe168 100644 --- a/credentials-operator/templates/credentials-operator-mutating-webhook-configuration.yaml +++ b/credentials-operator/templates/credentials-operator-mutating-webhook-configuration.yaml @@ -4,6 +4,9 @@ kind: MutatingWebhookConfiguration metadata: creationTimestamp: null name: otterize-credentials-operator-mutating-webhook-configuration + labels: + app.kubernetes.io/part-of: otterize + app.kubernetes.io/component: credentials-operator webhooks: - admissionReviewVersions: - v1 diff --git a/credentials-operator/templates/rbac-certmgr.yaml b/credentials-operator/templates/rbac-certmgr.yaml new file mode 100644 index 00000000..7ac74256 --- /dev/null +++ b/credentials-operator/templates/rbac-certmgr.yaml @@ -0,0 +1,24 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: creds-operator-certificaterequest-creator + namespace: otterize-system +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificaterequests"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: credentials-operator-certificaterequest + namespace: otterize-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: creds-operator-certificaterequest-creator +subjects: + - kind: ServiceAccount + name: credentials-operator-controller-manager + namespace: otterize-system +--- \ No newline at end of file diff --git a/intents-operator/templates/intents-operator-deployment.yaml b/intents-operator/templates/intents-operator-deployment.yaml index ab96acef..2ab050df 100644 --- a/intents-operator/templates/intents-operator-deployment.yaml +++ b/intents-operator/templates/intents-operator-deployment.yaml @@ -179,7 +179,20 @@ spec: - name: OTTERIZE_EXP_ENABLE_EGRESS_NETWORK_POLICIES value: "true" {{- end }} + {{- if .Values.global.aws.rolesAnywhere.enabled }} + - name: OTTERIZE_TRUST_DOMAIN + value: {{ .Values.global.aws.rolesAnywhere.trustDomain | quote }} + - name: OTTERIZE_TRUST_ANCHOR + value: {{ .Values.global.aws.rolesAnywhere.trustDomain | quote }} + - name: AWS_SHARED_CREDENTIALS_FILE + value: "/aws-config/credentials" + - name: AWS_REGION + value: {{ .Values.global.aws.region | quote }} + {{- end }} volumeMounts: + - mountPath: /aws-config + name: spiffe + readOnly: true - mountPath: /controller_manager_config.yaml name: manager-config subPath: controller_manager_config.yaml @@ -215,8 +228,6 @@ spec: memory: 64Mi securityContext: allowPrivilegeEscalation: false - securityContext: - runAsNonRoot: true serviceAccountName: intents-operator-controller-manager terminationGracePeriodSeconds: 10 volumes: @@ -242,4 +253,13 @@ spec: secret: secretName: {{ .Values.global.otterizeCloud.apiExtraCAPEMSecret }} {{ end }} + - name: spiffe + csi: + driver: spiffe.csi.cert-manager.io + readOnly: true + volumeAttributes: + aws.spiffe.csi.cert-manager.io/trust-profile: {{ .Values.global.aws.rolesAnywhere.intentsOperatorTrustProfileARN | quote }} + aws.spiffe.csi.cert-manager.io/trust-anchor: {{ .Values.global.aws.rolesAnywhere.trustAnchorARN | quote }} + aws.spiffe.csi.cert-manager.io/role: {{ .Values.aws.roleARN | quote }} + aws.spiffe.csi.cert-manager.io/enable: "true" - name: cert diff --git a/intents-operator/templates/rbac-certmgr.yaml b/intents-operator/templates/rbac-certmgr.yaml new file mode 100644 index 00000000..b086698a --- /dev/null +++ b/intents-operator/templates/rbac-certmgr.yaml @@ -0,0 +1,23 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: intents-operator-certificaterequest-creator + namespace: otterize-system +rules: + - apiGroups: ["cert-manager.io"] + resources: ["certificaterequests"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: intents-operator-certificaterequest + namespace: otterize-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: intents-operator-certificaterequest-creator +subjects: + - kind: ServiceAccount + name: intents-operator-controller-manager + namespace: otterize-system \ No newline at end of file From 5f9081b3420a7fa9d5d3122241905fb8409676d1 Mon Sep 17 00:00:00 2001 From: Ori Shoshan Date: Thu, 29 Feb 2024 11:48:34 +0200 Subject: [PATCH 2/6] Use cert-manager CSI spiffe driver for RolesAnywhere integration --- .../templates/credentials-operator-deployment.yaml | 4 ++-- intents-operator/templates/intents-operator-deployment.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/credentials-operator/templates/credentials-operator-deployment.yaml b/credentials-operator/templates/credentials-operator-deployment.yaml index 7b9a23c9..0ec5dea5 100644 --- a/credentials-operator/templates/credentials-operator-deployment.yaml +++ b/credentials-operator/templates/credentials-operator-deployment.yaml @@ -177,8 +177,8 @@ spec: {{- if .Values.global.aws.rolesAnywhere.enabled }} - name: OTTERIZE_TRUST_DOMAIN value: {{ .Values.global.aws.rolesAnywhere.trustDomain | quote }} - - name: OTTERIZE_TRUST_ANCHOR - value: {{ .Values.global.aws.rolesAnywhere.trustDomain | quote }} + - name: OTTERIZE_TRUST_ANCHOR_ARN + value: {{ .Values.global.aws.rolesAnywhere.trustAnchorARN | quote }} - name: AWS_SHARED_CREDENTIALS_FILE value: "/aws-config/credentials" - name: AWS_REGION diff --git a/intents-operator/templates/intents-operator-deployment.yaml b/intents-operator/templates/intents-operator-deployment.yaml index 2ab050df..299b036e 100644 --- a/intents-operator/templates/intents-operator-deployment.yaml +++ b/intents-operator/templates/intents-operator-deployment.yaml @@ -182,8 +182,8 @@ spec: {{- if .Values.global.aws.rolesAnywhere.enabled }} - name: OTTERIZE_TRUST_DOMAIN value: {{ .Values.global.aws.rolesAnywhere.trustDomain | quote }} - - name: OTTERIZE_TRUST_ANCHOR - value: {{ .Values.global.aws.rolesAnywhere.trustDomain | quote }} + - name: OTTERIZE_TRUST_ANCHOR_ARN + value: {{ .Values.global.aws.rolesAnywhere.trustAnchorARN | quote }} - name: AWS_SHARED_CREDENTIALS_FILE value: "/aws-config/credentials" - name: AWS_REGION From 3c5975f5394ed1c56d8f80915e97ec4a17b417cc Mon Sep 17 00:00:00 2001 From: Ori Shoshan Date: Wed, 6 Mar 2024 20:08:18 +0100 Subject: [PATCH 3/6] fixup --- .../templates/credentials-operator-deployment.yaml | 4 ++++ ...credentials-operator-mutating-webhook-configuration.yaml | 2 ++ credentials-operator/templates/rbac-certmgr.yaml | 4 +++- intents-operator/templates/intents-operator-deployment.yaml | 6 +++++- intents-operator/templates/rbac-certmgr.yaml | 4 +++- 5 files changed, 17 insertions(+), 3 deletions(-) diff --git a/credentials-operator/templates/credentials-operator-deployment.yaml b/credentials-operator/templates/credentials-operator-deployment.yaml index 133917c2..75f36732 100644 --- a/credentials-operator/templates/credentials-operator-deployment.yaml +++ b/credentials-operator/templates/credentials-operator-deployment.yaml @@ -222,9 +222,11 @@ spec: volumeMounts: - mountPath: /tmp/k8s-webhook-server/serving-certs name: webhook-cert +{{- if .Values.global.aws.rolesAnywhere.enabled }} - mountPath: /aws-config name: spiffe readOnly: true +{{- end }} {{- if eq "false" (.Values.global.otterizeCloud.useCloudToGenerateTLSCredentials | toString) }} - mountPath: {{ .Values.spire.socketsPath }} name: spire-agent-socket @@ -243,6 +245,7 @@ spec: type: Directory name: spire-agent-socket {{- end }} +{{- if .Values.global.aws.rolesAnywhere.enabled }} - name: spiffe csi: driver: spiffe.csi.cert-manager.io @@ -252,6 +255,7 @@ spec: aws.spiffe.csi.cert-manager.io/trust-anchor: {{ .Values.global.aws.rolesAnywhere.trustAnchorARN | quote }} aws.spiffe.csi.cert-manager.io/role: {{ .Values.aws.roleARN | quote }} aws.spiffe.csi.cert-manager.io/enable: "true" +{{- end }} {{ if .Values.global.otterizeCloud.apiExtraCAPEMSecret }} - name: api-extra-ca-pem secret: diff --git a/credentials-operator/templates/credentials-operator-mutating-webhook-configuration.yaml b/credentials-operator/templates/credentials-operator-mutating-webhook-configuration.yaml index d4ebe168..5c22a628 100644 --- a/credentials-operator/templates/credentials-operator-mutating-webhook-configuration.yaml +++ b/credentials-operator/templates/credentials-operator-mutating-webhook-configuration.yaml @@ -4,9 +4,11 @@ kind: MutatingWebhookConfiguration metadata: creationTimestamp: null name: otterize-credentials-operator-mutating-webhook-configuration +{{- if .Values.global.aws.rolesAnywhere.enabled }} labels: app.kubernetes.io/part-of: otterize app.kubernetes.io/component: credentials-operator +{{- end }} webhooks: - admissionReviewVersions: - v1 diff --git a/credentials-operator/templates/rbac-certmgr.yaml b/credentials-operator/templates/rbac-certmgr.yaml index 7ac74256..09e3e329 100644 --- a/credentials-operator/templates/rbac-certmgr.yaml +++ b/credentials-operator/templates/rbac-certmgr.yaml @@ -1,3 +1,4 @@ +{{- if .Values.global.aws.rolesAnywhere.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -21,4 +22,5 @@ subjects: - kind: ServiceAccount name: credentials-operator-controller-manager namespace: otterize-system ---- \ No newline at end of file +--- +{{- end }} \ No newline at end of file diff --git a/intents-operator/templates/intents-operator-deployment.yaml b/intents-operator/templates/intents-operator-deployment.yaml index b4b475c9..e7da7ce5 100644 --- a/intents-operator/templates/intents-operator-deployment.yaml +++ b/intents-operator/templates/intents-operator-deployment.yaml @@ -209,9 +209,11 @@ spec: value: {{ .Values.global.aws.region | quote }} {{- end }} volumeMounts: +{{- if .Values.global.aws.rolesAnywhere.enabled }} - mountPath: /aws-config name: spiffe readOnly: true +{{- end }} - mountPath: /controller_manager_config.yaml name: manager-config subPath: controller_manager_config.yaml @@ -272,6 +274,7 @@ spec: secret: secretName: {{ .Values.global.otterizeCloud.apiExtraCAPEMSecret }} {{ end }} +{{- if .Values.global.aws.rolesAnywhere.enabled }} - name: spiffe csi: driver: spiffe.csi.cert-manager.io @@ -281,4 +284,5 @@ spec: aws.spiffe.csi.cert-manager.io/trust-anchor: {{ .Values.global.aws.rolesAnywhere.trustAnchorARN | quote }} aws.spiffe.csi.cert-manager.io/role: {{ .Values.aws.roleARN | quote }} aws.spiffe.csi.cert-manager.io/enable: "true" - - name: cert +{{- end }} + - name: cert \ No newline at end of file diff --git a/intents-operator/templates/rbac-certmgr.yaml b/intents-operator/templates/rbac-certmgr.yaml index b086698a..cf473ba0 100644 --- a/intents-operator/templates/rbac-certmgr.yaml +++ b/intents-operator/templates/rbac-certmgr.yaml @@ -1,3 +1,4 @@ +{{- if .Values.global.aws.rolesAnywhere.enabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -20,4 +21,5 @@ roleRef: subjects: - kind: ServiceAccount name: intents-operator-controller-manager - namespace: otterize-system \ No newline at end of file + namespace: otterize-system +{{- end }} \ No newline at end of file From 3ccb0f6a2036108a27ce5b267643bd9f34f3546d Mon Sep 17 00:00:00 2001 From: Ori Shoshan Date: Wed, 6 Mar 2024 20:10:39 +0100 Subject: [PATCH 4/6] fixup --- .../templates/credentials-operator-deployment.yaml | 3 +++ intents-operator/templates/intents-operator-deployment.yaml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/credentials-operator/templates/credentials-operator-deployment.yaml b/credentials-operator/templates/credentials-operator-deployment.yaml index 75f36732..9054a76e 100644 --- a/credentials-operator/templates/credentials-operator-deployment.yaml +++ b/credentials-operator/templates/credentials-operator-deployment.yaml @@ -216,6 +216,9 @@ spec: {{- toYaml .Values.resources | nindent 10 }} securityContext: allowPrivilegeEscalation: false +{{- if ne false (default .Values.global.aws.rolesAnywhere.enabled false) }} + runAsNonRoot: true +{{- end }} capabilities: drop: - "ALL" diff --git a/intents-operator/templates/intents-operator-deployment.yaml b/intents-operator/templates/intents-operator-deployment.yaml index e7da7ce5..63a63f59 100644 --- a/intents-operator/templates/intents-operator-deployment.yaml +++ b/intents-operator/templates/intents-operator-deployment.yaml @@ -249,6 +249,9 @@ spec: memory: 64Mi securityContext: allowPrivilegeEscalation: false +{{- if ne false (default .Values.global.aws.rolesAnywhere.enabled false) }} + runAsNonRoot: true +{{- end }} serviceAccountName: intents-operator-controller-manager terminationGracePeriodSeconds: 10 volumes: From 7bbc1effa1c13f9176e8654f8646d9652ca173d3 Mon Sep 17 00:00:00 2001 From: Ori Shoshan Date: Wed, 6 Mar 2024 20:12:37 +0100 Subject: [PATCH 5/6] fixup --- .../templates/credentials-operator-deployment.yaml | 3 ++- intents-operator/templates/intents-operator-deployment.yaml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/credentials-operator/templates/credentials-operator-deployment.yaml b/credentials-operator/templates/credentials-operator-deployment.yaml index 9054a76e..a0be655d 100644 --- a/credentials-operator/templates/credentials-operator-deployment.yaml +++ b/credentials-operator/templates/credentials-operator-deployment.yaml @@ -216,7 +216,8 @@ spec: {{- toYaml .Values.resources | nindent 10 }} securityContext: allowPrivilegeEscalation: false -{{- if ne false (default .Values.global.aws.rolesAnywhere.enabled false) }} +# Only runAsNonRoot when not using rolesAnywhere +{{- if ne true (default .Values.global.aws.rolesAnywhere.enabled false) }} runAsNonRoot: true {{- end }} capabilities: diff --git a/intents-operator/templates/intents-operator-deployment.yaml b/intents-operator/templates/intents-operator-deployment.yaml index 63a63f59..007a1d0a 100644 --- a/intents-operator/templates/intents-operator-deployment.yaml +++ b/intents-operator/templates/intents-operator-deployment.yaml @@ -249,7 +249,8 @@ spec: memory: 64Mi securityContext: allowPrivilegeEscalation: false -{{- if ne false (default .Values.global.aws.rolesAnywhere.enabled false) }} +# Only runAsNonRoot when not using rolesAnywhere +{{- if ne true (default .Values.global.aws.rolesAnywhere.enabled false) }} runAsNonRoot: true {{- end }} serviceAccountName: intents-operator-controller-manager From 1af6aa20d16ddc57b9607bc46e40516da036f84b Mon Sep 17 00:00:00 2001 From: Ori Shoshan Date: Wed, 6 Mar 2024 20:18:31 +0100 Subject: [PATCH 6/6] fixup --- credentials-operator/values.yaml | 2 ++ intents-operator/values.yaml | 2 ++ otterize-kubernetes/values.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/credentials-operator/values.yaml b/credentials-operator/values.yaml index 4e1cbb82..9eda3568 100644 --- a/credentials-operator/values.yaml +++ b/credentials-operator/values.yaml @@ -46,6 +46,8 @@ global: aws: enabled: false useSoftDelete: false + rolesAnywhere: + enabled: false eksClusterNameOverride: roleARN: diff --git a/intents-operator/values.yaml b/intents-operator/values.yaml index 4476c888..71e89c8c 100644 --- a/intents-operator/values.yaml +++ b/intents-operator/values.yaml @@ -70,6 +70,8 @@ global: aws: enabled: false + rolesAnywhere: + enabled: false eksClusterNameOverride: azure: diff --git a/otterize-kubernetes/values.yaml b/otterize-kubernetes/values.yaml index 07148f75..18836b9a 100644 --- a/otterize-kubernetes/values.yaml +++ b/otterize-kubernetes/values.yaml @@ -7,6 +7,8 @@ global: aws: enabled: false + rolesAnywhere: + enabled: false useSoftDelete: false eksClusterNameOverride: