Update role to explictly list needed permissions.

AttackIQ · Nov 30, 2023 · 1bb2055 · 1bb2055
1 parent fb66871
commit 1bb2055
Show file tree

Hide file tree

Showing 4 changed files with 117 additions and 5 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 aiq-agent-k8s/files/config.yml
 .idea
 config.yml
+local/**
diff --git a/charts/aiq-agent-k8s/Chart.yaml b/charts/aiq-agent-k8s/Chart.yaml
@@ -3,7 +3,7 @@ name: aiq-agent-k8s
 description: A Helm chart for running the AttackIQ agent in Kubernetes.
 type: application
 # version of this chart, bump if changes are made.
-version: 0.2.1
+version: 0.2.2
 # Version of the app.
 # For aiq-agent-k8s it should be the version (tag) of the container to deploy
 # which will directly map to the agent version, suffixed by an incrementing

diff --git a/charts/aiq-agent-k8s/README.md b/charts/aiq-agent-k8s/README.md
@@ -1,7 +1,7 @@
 # AttackIQ Endpoint Agent in Kubernetes
 
 ![App: 3.8.12](https://img.shields.io/badge/App_Version-3.8.12--3-informational?style=flat-square)
-![Chart: 0.2.1](https://img.shields.io/badge/Chart_Version-0.2.1-informational?style=flat-square)
+![Chart: 0.2.2](https://img.shields.io/badge/Chart_Version-0.2.2-informational?style=flat-square)
 
 This is a helm chart for provisioning an AttackIQ endpoint agent into a k8s cluster.
 

diff --git a/charts/aiq-agent-k8s/templates/role.yaml b/charts/aiq-agent-k8s/templates/role.yaml
@@ -4,6 +4,117 @@ metadata:
   creationTimestamp: null
   name: aiq-agent-k8s-role
 rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
+  - apiGroups: [ "" ]
+    resources: [ "pods/exec" ]
+    verbs: [ "get", "list", "create" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods/log" ]
+    verbs: [ "get", "list", "create" ]
+  - apiGroups: [ "" ]
+    resources: [ "configmaps" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "endpoints" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "events" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "limitranges" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "namespaces" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "nodes" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumeclaims" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "podtemplates" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "replicationcontrollers" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "resourcequotas" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "serviceaccounts" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "services" ]
+    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "daemonsets.apps" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "deployments.apps" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "replicasets.apps" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "statefulsets.apps" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "cronjobs.batch" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "jobs.batch" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "daemonsets.extensions" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "deployments.extensions" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "ingresses.extensions" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "networkpolicies.extensions" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "replicasets.extensions" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "ingresses.networking.k8s.io" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "networkpolicies.networking.k8s.io" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "clusterrolebindings.rbac.authorization.k8s.io" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "clusterroles.rbac.authorization.k8s.io" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "rolebindings.rbac.authorization.k8s.io" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "roles.rbac.authorization.k8s.io" ]
+#    verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "leases.coordination.k8s.io" ]
+#    verbs: [ "get", "list" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "endpointslices.discovery.k8s.io" ]
+#    verbs: [ "get", "list" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "events.events.k8s.io" ]
+#    verbs: [ "get", "list" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "poddisruptionbudgets.policy" ]
+#    verbs: [ "get", "list" ]
+#  - apiGroups: [ "" ]
+#    resources: [ "csistoragecapacities.storage.k8s.io" ]
+#    verbs: [ "get", "list" ]