From dandaniel97 at gmail.com Tue Nov 27 10:26:06 2018 From: dandaniel97 at gmail.com (Daniel Beilin) Date: Tue, 27 Nov 2018 12:26:06 +0200 Subject: [Strimzi] Cluster operator privileges Message-ID: I work in an organization that has strict security, we are trying to implement strimzi and we are worried about the cluster role privileges that are granted. specifically about the permission to read and write and edit client secrets. Is it necessary to give it those permissions? furthermore is it a possibility to harden those permissions? thank you in advance, daniel -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakub at scholz.cz Tue Nov 27 12:23:54 2018 From: jakub at scholz.cz (Jakub Scholz) Date: Tue, 27 Nov 2018 13:23:54 +0100 Subject: [Strimzi] Cluster operator privileges In-Reply-To: References: Message-ID: Hi Daniel, Strimzi is using secrets for certificates etc. So we do need the access to them. That said, the access to secrets is limited to the namespace where the operators watch for the custom resources / manage the clusters. So you can easily limit it to be able to access the secrets only for given namespace. That way you should be able to ensure that it will not have access to any secrets whcih do not belong to it (if oyu use namespace dedicated for Strimzi / Kafka). The permissions we have in the installation files should be created based on what we really need. I do not think there is much space to cut them down. You can remove the cluster roles for reading node labels if you do not plan to use the rack awareness feature or expose Kafka outside of your Kubernetes cluster using node ports. Thanks & Regards Jakub On Tue, Nov 27, 2018 at 1:14 PM Daniel Beilin wrote: > I work in an organization that has strict security, we are trying to > implement strimzi and we are worried about the cluster role privileges that > are granted. specifically about the permission to read and write and edit > client secrets. Is it necessary to give it those permissions? furthermore > is it a possibility to harden those permissions? > > thank you in advance, > daniel > _______________________________________________ > Strimzi mailing list > Strimzi at redhat.com > https://www.redhat.com/mailman/listinfo/strimzi > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dandaniel97 at gmail.com Tue Nov 27 12:38:05 2018 From: dandaniel97 at gmail.com (Daniel Beilin) Date: Tue, 27 Nov 2018 14:38:05 +0200 Subject: [Strimzi] Cluster operator privileges In-Reply-To: References: Message-ID: Thank you so much for your detailed responce! it clarifies many things. Daniel On Tue, Nov 27, 2018, 14:24 Jakub Scholz wrote: > Hi Daniel, > > Strimzi is using secrets for certificates etc. So we do need the access to > them. That said, the access to secrets is limited to the namespace where > the operators watch for the custom resources / manage the clusters. So you > can easily limit it to be able to access the secrets only for given > namespace. That way you should be able to ensure that it will not have > access to any secrets whcih do not belong to it (if oyu use namespace > dedicated for Strimzi / Kafka). > > The permissions we have in the installation files should be created based > on what we really need. I do not think there is much space to cut them > down. You can remove the cluster roles for reading node labels if you do > not plan to use the rack awareness feature or expose Kafka outside of your > Kubernetes cluster using node ports. > > Thanks & Regards > Jakub > > On Tue, Nov 27, 2018 at 1:14 PM Daniel Beilin > wrote: > >> I work in an organization that has strict security, we are trying to >> implement strimzi and we are worried about the cluster role privileges that >> are granted. specifically about the permission to read and write and edit >> client secrets. Is it necessary to give it those permissions? furthermore >> is it a possibility to harden those permissions? >> >> thank you in advance, >> daniel >> > _______________________________________________ >> Strimzi mailing list >> Strimzi at redhat.com >> https://www.redhat.com/mailman/listinfo/strimzi >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dandaniel97 at gmail.com Wed Nov 28 14:31:24 2018 From: dandaniel97 at gmail.com (Daniel Beilin) Date: Wed, 28 Nov 2018 16:31:24 +0200 Subject: [Strimzi] Managing cluster role Message-ID: Hello, in order to deploy strimzi you need to create a cluster role, which can be a possible point for attacks, because you can get the permissions to the whole cluster. My question is: can you change the cluster role to a regular role without interfering with the rest of the deployment? In other words, If in my deployment we will change the cluster roles and role bindings in order to allow the service account the same access as before, but this time with just a normal role, will it cause any problems when trying to deploy a cluster on this spasific namespace? Best regards, Daniel -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakub at scholz.cz Wed Nov 28 15:20:37 2018 From: jakub at scholz.cz (Jakub Scholz) Date: Wed, 28 Nov 2018 16:20:37 +0100 Subject: [Strimzi] Managing cluster role In-Reply-To: References: Message-ID: Hi Daniel, I think that will not work well, because we reference some of these ClusterRoles in the service accounts which we create for the Kafka brokers. If it works then the features might be definitely limited. For sure I would say the Topic and User operators will not work and exposing NodePorts and Kafka rack awareness will not work. Maybe something more as well. The ClusterRoles do not really give us access to the whole cluster. For most of them, we use only RoleBindings to bind them to our service accounts. So despite using ClusterRoles, we get only the rights within a namespace as if these would be regular Roles. But we do not need to create the Role in every single namespace we need to use because the ClusterRoles are global. We use ClusterRoleBindings only for two ClusterRoles: - 030-ClusterRole-strimzi-kafka-broker.yaml which gives us the possibility to read nodes - 021-ClusterRole-strimzi-cluster-operator-role.yaml which we need to be able to create ClusterRoleBindings We need to use ClusterRoles and ClusterRoleBindings here, because these resources are cluster wide and you cannot grant them without using ClusterRoles and ClusterRoleBindings. If you don't deploy these, Strimzi will work fine unless you try to use Kafka rack-awareness or expose it using Node Ports. I would also like to point out that although we have the ability to create RoleBindings and ClusterRoleBindings, we cannot give our self any additional rights. Kubernetes have protection against privilege escalation. So we can create only RoleBindings and ClusterRoleBindings which contain the rights which the Cluster operator already has. So the Strimzi operator cannot grant it self access rights for a different namespace or anything like that. Thanks & Regards Jakub On Wed, Nov 28, 2018 at 3:39 PM Daniel Beilin wrote: > Hello, in order to deploy strimzi you need to create a cluster role, which > can be a possible point for attacks, because you can get the permissions to > the whole cluster. My question is: can you change the cluster role to a > regular role without interfering with the rest of the deployment? In other > words, > If in my deployment we will change the cluster roles and role bindings in > order to allow the service account the same access as before, but this time > with just a normal role, will it cause any problems when trying to deploy a > cluster on this spasific namespace? > > Best regards, > Daniel > _______________________________________________ > Strimzi mailing list > Strimzi at redhat.com > https://www.redhat.com/mailman/listinfo/strimzi > -------------- next part -------------- An HTML attachment was scrubbed... URL: