secure tiller (#21)

* secure tiller

- remove tiller service
- run tiller as sidecar to dashboard deployment
- add tiller serviceaccount with cluster-admin role to make tiller work in RBAC-enabled clusters

* update tiller to 2.7.2

* set custom TILLER_NAMESPACE and lock-down tiller

tiller is configured to only listen on localhost connections

kubeapps-dashboard-values.yaml

@@ -7,7 +7,7 @@ api:
  replicaCount: 1
  image:
  repository: bitnami/monocular-api
- tag: v0.5.2
+ tag: v0.5.4
  pullPolicy: IfNotPresent
  auth:
  signingKey: secret

kubeapps-dashboard.jsonnet

@@ -87,6 +87,12 @@ local serviceDeployFromValues(parentName, componentName, values) = {
  },
  },
 
+ tillerServiceAccount: kube.ServiceAccount("tiller") + $.namespace,
+ tillerBinding: kube.ClusterRoleBinding("tiller-cluster-admin") {
+ roleRef_: kube.ClusterRole("cluster-admin"),
+ subjects_: [$.tillerServiceAccount],
+ },
+
  api: serviceDeployFromValues(name, "api", $.values.api) {
  config: HashedConfigMap(name + "-api") + $.namespace {
  metadata+: {labels+: labels},
@@ -97,6 +103,7 @@ local serviceDeployFromValues(parentName, componentName, values) = {
  host: "%s:%d" % [mongoDbHost, $.mongodb.spec.ports[0].port],
  database: "monocular",
  },
+ tillerHost: "localhost:44134",
  },
  "monocular.yaml": kubecfg.manifestJson(self.monocular_yaml),
  },
@@ -108,6 +115,7 @@ local serviceDeployFromValues(parentName, componentName, values) = {
  spec+: {
  template+: {
  spec+: {
+ serviceAccountName: $.tillerServiceAccount.metadata.name,
  containers_+: {
  default+: {
  env_+: {
@@ -130,6 +138,18 @@ local serviceDeployFromValues(parentName, componentName, values) = {
  config: {mountPath: "/monocular/config"},
  },
  },
+ local tillerContainer = (import "tiller-deployment.jsonnet").spec.template.spec.containers[0],
+ tiller: tillerContainer {
+ overrideEnvs(overrides):: [
+ if std.objectHas(overrides, x.name) then { name: x.name, value: overrides[x.name] } else x for x in tillerContainer.env
+ ],
+ env: self.overrideEnvs({
+ TILLER_NAMESPACE: $.api.deploy.metadata.namespace,
+ }),
+ ports: [], // Informational only, doesn't actually restrict access to :44134
+ command: ["/tiller"],
+ args+: ["--listen=localhost:44134"], // remove access to :44134 outside pod
+ },
  },
  volumes_+: {
  config: kube.ConfigMapVolume($.api.config),

kubeapps.jsonnet

@@ -12,10 +12,6 @@ local tls = false;
  // NB: these are left in their usual namespaces, to avoid forcing
  // non-default command line options onto client tools
  kubeless: (import "kubeless.jsonnet"),
- tiller: {
- deployment: (import "tiller-deployment.jsonnet"),
- service: kubecfg.parseYaml(importstr "tiller-service.yaml"),
- },
  ssecrets: (import "sealed-secrets.jsonnet"),
  nginx: (import "ingress-nginx.jsonnet") {
  namespace:: $.namespace,
@@ -51,7 +47,7 @@ local tls = false;
  namespace:: $.namespace,
  },
 
- hub: (import "kubeapps-dashboard.jsonnet") + {
+ dashboard: (import "kubeapps-dashboard.jsonnet") + {
  namespace:: $.namespace,
  mongodb:: $.mongodb.svc,
  ingress:: null,
@@ -104,8 +100,8 @@ local tls = false;
  rules: [{
  http: {
  paths: [
- {path: "/", backend: $.hub.ui.svc.name_port},
- {path: "/api/", backend: $.hub.api.svc.name_port},
+ {path: "/", backend: $.dashboard.ui.svc.name_port},
+ {path: "/api/", backend: $.dashboard.api.svc.name_port},
  {path: "/kubeless", backend: $.kubelessui.svc.name_port},
  ],
  },

tiller-deployment.jsonnet

@@ -34,7 +34,7 @@
  "value": "0"
  }
  ],
- "image": "gcr.io/kubernetes-helm/tiller:v2.7.0",
+ "image": "gcr.io/kubernetes-helm/tiller:v2.7.2",
  "imagePullPolicy": "IfNotPresent",
  "livenessProbe": {
  "httpGet": {