diff --git a/charts/aws-efs-csi-driver/templates/controller-serviceaccount.yaml b/charts/aws-efs-csi-driver/templates/controller-serviceaccount.yaml index bc1d11d1a..48d1a90c1 100644 --- a/charts/aws-efs-csi-driver/templates/controller-serviceaccount.yaml +++ b/charts/aws-efs-csi-driver/templates/controller-serviceaccount.yaml @@ -40,12 +40,19 @@ rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] - # - apiGroups: [ "" ] - # resources: [ "secrets" ] - # verbs: [ "get", "watch", "list" ] - --- - +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: efs-csi-external-provisioner-role-describe-secrets + labels: + app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }} +rules: + - apiGroups: [ "" ] + resources: [ "secrets" ] + resourceNames: ["x-account"] + verbs: [ "get", "watch", "list" ] +--- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -60,3 +67,20 @@ roleRef: kind: ClusterRole name: efs-csi-external-provisioner-role apiGroup: rbac.authorization.k8s.io +--- +# We use a RoleBinding to restrict Secret access to the namespace that the +# RoleBinding is created in (typically kube-system) +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: efs-csi-provisioner-binding-describe-secrets + labels: + app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }} +subjects: + - kind: ServiceAccount + name: {{ .Values.controller.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: efs-csi-external-provisioner-role-describe-secrets + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/deploy/kubernetes/base/controller-serviceaccount.yaml b/deploy/kubernetes/base/controller-serviceaccount.yaml index 655c0268c..41fce01af 100644 --- a/deploy/kubernetes/base/controller-serviceaccount.yaml +++ b/deploy/kubernetes/base/controller-serviceaccount.yaml @@ -36,9 +36,19 @@ rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "watch", "list", "delete", "update", "create"] - # - apiGroups: [ "" ] - # resources: [ "secrets" ] - # verbs: [ "get", "watch", "list" ] +--- +# Source: aws-efs-csi-driver/templates/controller-serviceaccount.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: efs-csi-external-provisioner-role-describe-secrets + labels: + app.kubernetes.io/name: aws-efs-csi-driver +rules: + - apiGroups: [ "" ] + resources: [ "secrets" ] + resourceNames: ["x-account"] + verbs: [ "get", "watch", "list" ] --- # Source: aws-efs-csi-driver/templates/controller-serviceaccount.yaml kind: ClusterRoleBinding @@ -55,3 +65,20 @@ roleRef: kind: ClusterRole name: efs-csi-external-provisioner-role apiGroup: rbac.authorization.k8s.io +--- +# We use a RoleBinding to restrict Secret access to the namespace that the +# RoleBinding is created in (typically kube-system) +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: efs-csi-provisioner-binding-describe-secrets + labels: + app.kubernetes.io/name: aws-efs-csi-driver +subjects: + - kind: ServiceAccount + name: efs-csi-controller-sa + namespace: kube-system +roleRef: + kind: ClusterRole + name: efs-csi-external-provisioner-role-describe-secrets + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/examples/kubernetes/cross_account_mount/iam-policy-examples/describe-mount-target-example.json b/examples/kubernetes/cross_account_mount/iam-policy-examples/describe-mount-target-example.json index 93b4428c5..102ec526c 100644 --- a/examples/kubernetes/cross_account_mount/iam-policy-examples/describe-mount-target-example.json +++ b/examples/kubernetes/cross_account_mount/iam-policy-examples/describe-mount-target-example.json @@ -1,24 +1,62 @@ { "Version": "2012-10-17", "Statement": [ - { - "Sid" : "Stmt1DescribeMountTargets", - "Effect": "Allow", - "Action": [ - "elasticfilesystem:DescribeFileSystems", - "elasticfilesystem:DescribeMountTargets", - "elasticfilesystem:CreateAccessPoint" - ], - "Resource": "arn:aws:elasticfilesystem:us-west-2:123456789012:file-system/file-system-ID" - }, - { - "Sid" : "Stmt2AdditionalEC2PermissionsToDescribeMountTarget", - "Effect": "Allow", - "Action": [ - "ec2:DescribeSubnets", - "ec2:DescribeNetworkInterfaces" - ], - "Resource": "*" - } + { + "Sid": "AllowDescribe", + "Effect": "Allow", + "Action": [ + "elasticfilesystem:DescribeAccessPoints", + "elasticfilesystem:DescribeFileSystems", + "elasticfilesystem:DescribeMountTargets", + "ec2:DescribeAvailabilityZones" + ], + "Resource": "*" + }, + { + "Sid": "AllowCreateAccessPoint", + "Effect": "Allow", + "Action": [ + "elasticfilesystem:CreateAccessPoint" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:RequestTag/efs.csi.aws.com/cluster": "false" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": "efs.csi.aws.com/cluster" + } + } + }, + { + "Sid": "AllowTagNewAccessPoints", + "Effect": "Allow", + "Action": [ + "elasticfilesystem:TagResource" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "elasticfilesystem:CreateAction": "CreateAccessPoint" + }, + "Null": { + "aws:RequestTag/efs.csi.aws.com/cluster": "false" + }, + "ForAllValues:StringEquals": { + "aws:TagKeys": "efs.csi.aws.com/cluster" + } + } + }, + { + "Sid": "AllowDeleteAccessPoint", + "Effect": "Allow", + "Action": "elasticfilesystem:DeleteAccessPoint", + "Resource": "*", + "Condition": { + "Null": { + "aws:ResourceTag/efs.csi.aws.com/cluster": "false" + } + } + } ] -} +} \ No newline at end of file