Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix AWS permissions for Kubernetes Response Engine #465

Merged
merged 6 commits into from
Nov 20, 2018
Merged

Fix AWS permissions for Kubernetes Response Engine #465

merged 6 commits into from
Nov 20, 2018

Conversation

nestorsalceda
Copy link
Contributor

Honor the principle of least privilege when giving permissions for Kubernetes Response Engine and RBAC and use a system account created specifically for AWS and Kubernetes Response Engine.

Configure needed permisssions instead of using one too permissive.
Instead of giving a lot of permissions set only the needed ones
Maintain consistency between deployments
This restricts attack surface, and work better in term of automation.
@mfdii
Copy link
Member

mfdii commented Nov 12, 2018

Thecluster-role.yaml is in the deployment and the cluster-role-binding.yaml is in deployment/aws. There doesn't seem to be anything that is AWS specific and in theory we should have the CNCF response engine stack use a similar user/roles if possible.

Regardless, I feel like the cluster-role and cluster-role-binding files should live in the same directory.

Although it duplicates some code, we prefer duplicate some code and
place this files together.
@bencer bencer merged commit 21f16f0 into falcosecurity:dev Nov 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants