Mutual SSL Auth For Helm TIller
Why
In order to improve the security of K8s clusters integrated with GitLab (and to better facilitate RBAC and multi-project clusters in future) we need the Helm Tiller that's deployed to the cluster to be locked down such that only the GitLab instance that deployed it can connect and get it to deploy other charts. Without this anybody with access to the helm tiller server will be able to deploy any application to any namespace in the cluster even when users intend to lock down parts of the cluster using RBAC roles.
What
This issue will ensure that when new Helm Tiller applications are deployed to K8s clusters through GitLab they will be locked down using mutual SSL and no helm
clients outside of GitLab instance will be able to actually use this Tiller server to deploy other applications.
Feature Assurance
In order to verify this you should find that running helm install ...
(even after fetching kubectl credentials) will give authorisation errors as you do not have the signed client certificate. Before this change it should be possible for anybody with kubectl
credentials to the cluster or running kubectl
inside any pod in the cluster would be able to ask the helm tiller server to deploy anything they want.
Links
See https://gitlab.com/gitlab-org/gitlab-ce/issues/29398#note_68357820 for original context