diff --git a/applications/base/services/rbac-manager/README.md b/applications/base/services/rbac-manager/README.md new file mode 100644 index 0000000..dac9774 --- /dev/null +++ b/applications/base/services/rbac-manager/README.md @@ -0,0 +1,14 @@ +# RBAC Manager – Base Configuration + +This directory contains the **base manifests** for deploying [RBAC Manager](https://github.com/FairwindsOps/rbac-manager), a Kubernetes operator that simplifies the management of RoleBindings and ClusterRoleBindings. +It is designed to be **consumed by cluster repositories** as a remote base, allowing each cluster to apply **custom overrides** as needed. + +**About RBAC Manager:** + +- Automates the creation and maintenance of **Kubernetes RBAC roles and bindings** using declarative configurations. +- Introduces the `RBACDefinition` custom resource to manage multiple roles and bindings in a single YAML file. +- Simplifies access control management for users, groups, and service accounts across namespaces. +- Reduces manual errors and configuration drift by keeping RBAC resources consistent and version-controlled. +- Supports both **namespaced** and **cluster-wide** role management, making it suitable for multi-team or multi-tenant clusters. +- Commonly used to manage platform-level access, application team permissions, and read-only auditor roles. +- Improves security and governance by providing a consistent and automated approach to RBAC configuration. diff --git a/applications/base/services/rbac-manager/helm-values/hardened-values-1.21.1.yaml b/applications/base/services/rbac-manager/helm-values/hardened-values-1.21.1.yaml new file mode 100644 index 0000000..ee6a156 --- /dev/null +++ b/applications/base/services/rbac-manager/helm-values/hardened-values-1.21.1.yaml @@ -0,0 +1,129 @@ +--- +# Hardened values for rbac-manager v1.21.1 (app version v1.9.2) +# RBAC Manager for automated RBAC management +# Based on official Fairwinds chart values and documentation + +# Image configuration +image: + repository: quay.io/reactiveops/rbac-manager + tag: v1.9.2 + digest: "" + pullPolicy: Always + imagePullSecrets: [] + +# Install CRDs +installCRDs: true + +# CRD configuration +crds: + additionalLabels: + app.kubernetes.io/component: rbac-manager + app.kubernetes.io/part-of: openCenter + +# RBAC configuration +rbac: + additionalLabels: + app.kubernetes.io/component: rbac-manager + app.kubernetes.io/part-of: openCenter + +# Resource management - aligned with official defaults but with hardened limits +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 200m + memory: 256Mi + +# Priority class for system-critical workload +priorityClassName: "system-cluster-critical" + +# Node scheduling +nodeSelector: + kubernetes.io/os: linux + +# Tolerations for system nodes +tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + +# Affinity for better distribution +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - rbac-manager + topologyKey: kubernetes.io/hostname + +# Pod annotations for enhanced monitoring +podAnnotations: + cluster-autoscaler.kubernetes.io/safe-to-evict: "false" + prometheus.io/scrape: "true" + prometheus.io/port: "8080" + prometheus.io/path: "/metrics" + +# Pod labels +podLabels: + app.kubernetes.io/component: rbac-manager + app.kubernetes.io/part-of: openCenter + +# Pod security context - enhanced security +podSecurityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + fsGroup: 65534 + seccompProfile: + type: RuntimeDefault + +# Container security context - official recommendations with enhancements +securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: + - ALL + +# Deployment labels +deploymentLabels: + app.kubernetes.io/component: rbac-manager + app.kubernetes.io/part-of: openCenter + +# Service Monitor for Prometheus - enabled with proper configuration +serviceMonitor: + enabled: true + additionalLabels: + app.kubernetes.io/component: rbac-manager + app.kubernetes.io/part-of: openCenter + annotations: + prometheus.io/scrape: "true" + namespace: rbac-system + interval: 30s + relabelings: + - sourceLabels: [__meta_kubernetes_pod_name] + targetLabel: pod + - sourceLabels: [__meta_kubernetes_namespace] + targetLabel: namespace + +# Extra arguments for enhanced functionality +extraArgs: + # Enable metrics endpoint + metrics-address: "0.0.0.0:8042" + # Set log level + v: "2" + # Enable leader election for HA + # leader-elect: "true" + # Set reconcile period + # sync-period: "30s" diff --git a/applications/base/services/rbac-manager/helmrelease.yaml b/applications/base/services/rbac-manager/helmrelease.yaml new file mode 100644 index 0000000..12a5a5a --- /dev/null +++ b/applications/base/services/rbac-manager/helmrelease.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: rbac-manager + namespace: rbac-system +spec: + releaseName: rbac-manager + interval: 5m + timeout: 10m + driftDetection: + mode: enabled + install: + remediation: + retries: 3 + remediateLastFailure: true + upgrade: + remediation: + retries: 0 + remediateLastFailure: false + targetNamespace: rbac-system + chart: + spec: + chart: rbac-manager + version: 1.21.1 + sourceRef: + kind: HelmRepository + name: fairwinds-stable + namespace: rbac-system + valuesFrom: + - kind: Secret + name: rbac-manager-values-base + valuesKey: hardened.yaml + - kind: Secret + name: rbac-manager-values-override + valuesKey: override.yaml + optional: true diff --git a/applications/base/services/rbac-manager/kustomization.yaml b/applications/base/services/rbac-manager/kustomization.yaml new file mode 100644 index 0000000..6803e6a --- /dev/null +++ b/applications/base/services/rbac-manager/kustomization.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - "namespace.yaml" + - "source.yaml" + - "helmrelease.yaml" +secretGenerator: + - name: rbac-manager-values-base + type: Opaque + files: [hardened.yaml=helm-values/hardened-values-1.21.1.yaml] + options: + disableNameSuffixHash: true diff --git a/applications/base/services/rbac-manager/namespace.yaml b/applications/base/services/rbac-manager/namespace.yaml new file mode 100644 index 0000000..c3c7921 --- /dev/null +++ b/applications/base/services/rbac-manager/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: rbac-system diff --git a/applications/base/services/rbac-manager/source.yaml b/applications/base/services/rbac-manager/source.yaml new file mode 100644 index 0000000..38c8c81 --- /dev/null +++ b/applications/base/services/rbac-manager/source.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: fairwinds-stable +spec: + url: https://charts.fairwinds.com/stable + interval: 1h