multena-rbac-collector is a Go program designed to retrieve all cluster/-roles, role bindings, and cluster role bindings from a Kubernetes cluster and process them for integration with multena-proxy.
This enables multena-proxy to make informed authorization decisions based on the fetched RBAC data.
go get github.com/gepaplexx/multena-rbac-collector- Two Modes:
- Run: One-time collection of RBAC data.
- Serve: Continuous collection of RBAC data, leveraging Kubernetes watch API.
- ConfigMap Storage: Use the
--cmNameand--cmNamespaceflags to specify a ConfigMap in the cluster to store the RBAC data. - Local Output: In the
runmode, the YAML is also outputted as a local file.
multena-rbac-collector [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
run Collects RBAC permissions and stores them in a ConfigMap
serve Starts continuous RBAC collection
Flags:
--cmName string in-cluster name of the ConfigMap to store the RBAC data
--cmNamespace string cluster namespace of the ConfigMap to store the RBAC data
--config string config file (default is $HOME/.multena-rbac-collector.yaml)
-h, --help help for multena-rbac-collector
--kubeconfig string path to the kubeconfig file (default is $HOME/.kube/config for local development)
-t, --toggle Help message for toggle
graph TD
%% Definitions
Serve["Serve()"]
Watch["Watch()"]
watchResources["watchResources(resourceType)"]
Signal[Signal]
%% Serve function logic
Serve --> |go| Watch
Serve --> |HTTP invoke| Signal
%% Watch function logic
Watch --> |go| watchResources
Watch --> UpdateConfigmapLoop
%% Watch Resources Logic
subgraph WatchResourceLoop["Watch Resources Loop"]
watchResources --> |List| ListResources["List Resource"]
ListResources --> WatchEvent[Watch Resources & Handle Events]
WatchEvent --> AddResource["Add Resource"]
WatchEvent --> ModifyResource["Modify Resource"]
WatchEvent --> DeleteResource["Delete Resource"]
end
%% Connecting Watch Events to Signal
AddResource --> Signal
ModifyResource --> Signal
DeleteResource --> Signal
%% Processing Signal Logic
subgraph UpdateConfigmapLoop["Update Configmap Loop"]
ProcessSignal["Process Signal"]
ProcessSignal --> DrainSignal["Drain Signal"]
ProcessSignal --> CheckEquality["Check Maps Equality"]
CheckEquality --> WriteConfigmap["Write Configmap"]
end
Signal --> ProcessSignal
To run the multena-rbac-collector, you need to grant it the following permissions in your Kubernetes cluster:
-
RoleBindings:
- API Group:
rbac.authorization.k8s.io - Resources:
rolebindings - Verbs:
get,list,watch
- API Group:
-
ClusterRoleBindings:
- API Group:
rbac.authorization.k8s.io - Resources:
clusterrolebindings - Verbs:
get,list,watch
- API Group:
-
Roles:
- API Group:
rbac.authorization.k8s.io - Resources:
roles - Verbs:
get,list,watch
- API Group:
-
ClusterRoles:
- API Group:
rbac.authorization.k8s.io - Resources:
clusterroles - Verbs:
get,list,watch
- API Group:
- ConfigMaps:
- API Group:
"" - Resources:
configmaps - Verbs:
get,create,update
- API Group:
Please ensure that these permissions are correctly set before deploying the multena-rbac-collector to your Kubernetes environment.
You can find a sample clusterrole binding for these permissions at this link.
the multena-rbac-collector can be deployed via the gp-multena Helm chart.
Desciption how to deploy Multena can be found here.
To deploy the rbac-collector using the gp-multena Helm chart, ensure you set the following values:
rbac-collector:
enabled: true the helm chart can be found here.
The package server provides the functionalities of serving endpoints /healthz for checking health and /invoke to manually trigger the RBAC data collection.
For continuously watching the RBAC changes in the Kubernetes cluster, the program leverages Kubernetes watch API. Upon detection of any changes, the RBAC data is processed, compared, and stored in the specified ConfigMap.
We welcome contributions! Please open an issue if you have any questions or suggestions.
This project is licensed under the terms of the MIT license.