RBAC namespace role

CHANGELOG

@@ -1,3 +1,7 @@
+Version 0.1.36 (2023-08-04)
+---------------------------
+charts/rbac-namespace-role: Create chart (#99)
+
 Version 0.1.35 (2023-06-23)
 ---------------------------
 charts/aws-otel-collector: bump version to 0.1.4

charts/rbac-namespace-role/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: rbac-namespace-role
+description: A helm chart to setup a role which can manage a single namespace
+version: 0.1.0
+icon: https://raw.githubusercontent.com/snowplow-devops/helm-charts/master/docs/logo/snowplow.png
+home: https://github.com/snowplow-devops/helm-charts
+sources:
+  - https://github.com/snowplow-devops/helm-charts
+maintainers:
+  - name: jbeemster
+    url: https://github.com/jbeemster
+    email: jbeemster@users.noreply.github.com
+keywords:
+  - rbac
+  - roles

charts/rbac-namespace-role/README.md

@@ -0,0 +1,78 @@
+# rbac-namespace-role
+
+A helm chart to setup a role which can access a single namespace.
+
+## TL;DR
+
+```bash
+kubectl create namespace isolated
+helm repo add snowplow-devops https://snowplow-devops.github.io/helm-charts
+helm install rbac-namespace-role snowplow-devops/rbac-namespace-role --namespace isolated
+```
+
+## Introduction
+
+This chart is designed to leverage the inherent isolation layer between `namespace` structures to create a role that can only interact with a single specific space.  This allows you to, somewhat, safely multi-tenant a Kubernetes cluster.
+
+*Note*: By default the role created has full permissions on all apis, resources and verbs (it is assumed to be an admin role for this namespace).
+
+### Tutorial: Binding a `Role` in an EKS Cluster
+
+*Pre-requisite*: For this step you will need to ensure you have `eksctl` [installed](https://docs.aws.amazon.com/eks/latest/userguide/eksctl.html).
+
+To bind the created role you will need to already have a cluster that you can access from your CLI - you can validate this by running:
+
+```bash
+eksctl get iamidentitymapping --cluster "<cluster_name>" --region "<region>"
+
+# Should return something like ...
+ARN								USERNAME				GROUPS					ACCOUNT
+arn:aws:iam::000000000000:role/some-role-name	system:node:{{EC2PrivateDNSName}}	system:bootstrappers,system:nodes
+```
+
+Parameters:
+
+* `group`: If you deployed the default values the `group` parameter is `isolated-group`
+* `username`: This can be anything you like!
+* `arn`: This can be either a `user` or `role` ARN
+
+```bash
+eksctl create iamidentitymapping --cluster "<cluster_name>" --region "<region>" \
+    --arn "<user | role ARN>" --username "<username>" --group "isolated-group" \
+    --no-duplicate-arns
+
+# IAM Identity Mapping now includes something like ...
+arn:aws:iam::000000000000:role/some-other-role-name	admin					isolated-group
+```
+
+Connecting to the EKS Cluster with the defined role assumed or with a user should now allow access to the specified namespace.
+
+The [long-form guide](https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html) contains a lot of extra details if the commands here do not work.
+
+## Installing the Chart
+
+Install or upgrading the chart with default configuration:
+
+```bash
+helm upgrade --install rbac-namespace-role snowplow-devops/rbac-namespace-role  --namespace isolated
+```
+
+## Uninstalling the Chart
+
+To uninstall/delete the `rbac-namespace-role` release:
+
+```bash
+helm uninstall rbac-namespace-role  --namespace isolated
+kubectl delete namespace isolated
+```
+
+## Configuration
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| role.name | string | `"isolated-admin-role"` | The name to assign to the role |
+| role.apiGroups | list | `["*"]` | APIGroups is the name of the APIGroup that contains the resources |
+| role.resources | list | `["*"]` | Resources is a list of resources this rule applies to |
+| role.verbs | list | `["*"]` | Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule |
+| roleBinding.name | string | `"isolated-admin-rolebinding"` | The name to assign to the role-binding |
+| roleBinding.groupName | string | `"isolated-group"` | The name of the group which the role-binding is assigned to |

charts/rbac-namespace-role/templates/NOTES.txt

@@ -0,0 +1,3 @@
+Role {{ .Values.role.name }} has been created and has access to the namespace {{ .Release.Namespace }}.
+
+A Group has been bound to this role called {{ .Values.roleBinding.groupName }} - to leverage this role you should bind users to to this group

charts/rbac-namespace-role/templates/role.yaml

@@ -0,0 +1,18 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.role.name }}
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+  {{- range $v := .Values.role.apiGroups }}
+  - {{ $v | quote }}
+  {{- end }}
+  resources:
+  {{- range $v := .Values.role.resources }}
+  - {{ $v | quote }}
+  {{- end }}
+  verbs:
+  {{- range $v := .Values.role.verbs }}
+  - {{ $v | quote }}
+  {{- end }}

charts/rbac-namespace-role/templates/rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.roleBinding.name }}
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: Group
+  name: {{ .Values.roleBinding.groupName }}
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: {{ .Values.role.name }}
+  apiGroup: rbac.authorization.k8s.io

charts/rbac-namespace-role/values.yaml

@@ -0,0 +1,18 @@
+role:
+  # -- The name to assign to the role
+  name: "isolated-admin-role"
+  # -- APIGroups is the name of the APIGroup that contains the resources
+  apiGroups:
+    - "*"
+  # -- Resources is a list of resources this rule applies to
+  resources:
+    - "*"
+  # -- Verbs is a list of Verbs that apply to ALL the ResourceKinds contained in this rule
+  verbs:
+    - "*"
+
+roleBinding:
+  # -- The name to assign to the role-binding
+  name: "isolated-admin-rolebinding"
+  # -- The name of the group which the role-binding is assigned to
+  groupName: "isolated-group"