Investigate minimal rbac needed for Operational Container Scanning to scan workloads in a k8s cluster

Summary

If a customer installs the default helm chat for Gitlab agent for Kubernetes, it grants cluster-role access by default. This enables OCS to get and list all the workloads(Pods, ReplicaSet, ReplicationController, StatefulSet, DaemonSet, CronJob, Job), service accounts and secrets(for scanning private images) in the namespace that it is targetted to scan.

However, cluster-role access is not recommended for use in production.

As such, we need to update the OCS docs to suggest the minimal access rights that the agent running OCS needs for it to be able to operate properly.

Notes

• OCS starts a Trivy scanner pod for each configured namespace to be scanned
• The scanner pod spec is configured with the gitlab-agent service account
• The gitlab-agent service account requires access to list and get these workload types (Pods, ReplicaSet, ReplicationController, StatefulSet, DaemonSet, CronJob, Job) for each namespace to be scanned
• To scan private images, the gitlab-agent service account also needs access to get the secret or the service account associated with the workload being scanned
• The gitlab-agent service account also needs access to create, watch and delete Trivy scanner pods in the gitlab-agent namespace

Implementation Plan

• Investigate the minimal k8s rbac that OCS needs to be able to scan:
  • workloads types(Pods, ReplicaSet, ReplicationController, StatefulSet, DaemonSet, CronJob, Job)
  • secrets(Needed for scanning private images)
  • service accounts(Needed for scanning private images)
• Test Minimal RBAC in GKE
• Update OCS docs on configuration needed

  • Minimal RBAC needed for each targetted namespace to be scanned

  • Reference the RBAC needed for the gitlab-agent service account to create, watch and delete Trivy pods in the gitlab-agent namespace. This is found in the tutorial How to deploy the GitLab Agent for Kubernetes with limited permissions referenced in the Install the agent with Helm doc. Specifically this is the RBAC:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      namespace: gitlab-kubernetes-agent
      name: gitlab-kubernetes-agent-write
    rules:
    - resources:
      - '*'
      apiGroups:
      - '*'
      verbs:
      - create
      - update
      - delete
      - patch
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      namespace: gitlab-kubernetes-agent
      name: gitlab-kubernetes-agent-write-binding
    roleRef:
      name: gitlab-kubernetes-agent-write
      kind: Role
      apiGroup: rbac.authorization.k8s.io
    subjects:
    - name: gitlab-kubernetes-agent
      kind: ServiceAccount
      namespace: gitlab-kubernetes-agent
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      namespace: gitlab-kubernetes-agent
      name: gitlab-kubernetes-agent-read
    rules:
    - resources:
      - '*'
      apiGroups:
      - '*'
      verbs:
      - get
      - list
      - watch
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      namespace: gitlab-kubernetes-agent
      name: gitlab-kubernetes-agent-read-binding
    roleRef:
      name: gitlab-kubernetes-agent-read
      kind: Role
      apiGroup: rbac.authorization.k8s.io
    subjects:
    - name: gitlab-kubernetes-agent
      kind: ServiceAccount
      namespace: gitlab-kubernetes-agent