github gruntwork-io/kubergrunt v0.4.0
on GitHub

latest releases: v0.17.0-alpha.1, v0.16.0, v0.16.0-alpha.1...
5 years ago

Commands Affected

  • helm grant
  • helm revoke [NEW]

Description

This release introduces the helm revoke command, which will remove access to Tiller from the specified RBAC entities. This is done by removing:

  • The RoleBinding that binds permissions to access the Kubernetes Secret containing the TLS key pair and the Tiller Pod.
  • The Role that grants permissions to access the Kubernetes Secret containing the TLS key pair and the Tiller Pod.
  • The Kubernetes Secret containing the client TLS certificate.

To support the revoke action, this release updates the grant command to add labels to the Role, RoleBinding, and Secret that is generated.

WARNING: This revoke command is incompatible with any grant commands that were run before this version. See the "Migration Notes" for details on how to revoke access to already granted entities.

NOTE: This revoke command does not mark the TLS certificate as unusable. This means that if the entity is able to open a connection to the Tiller pod, they will be able to reuse the certificate. For a full revocation, you will need to reissue the certificates under a new CA that is installed in the Tiller pod.

Migration Notes

The revoke command depends on labels that are set on the Role, RoleBinding, and Secret to be able to find them for deletion. Previous versions of kubergrunt did not set labels on these resources during the grant operation, making them incompatible with the implementation of revoke. If you wish to revoke access to entities that were granted access using a previous version of grant, follow these steps:

  • Get the entity name. For RBAC Users and Groups, this is the name of the User or Group. For ServiceAccounts, this will be the string NAMESPACE/NAME, where NAMESPACE is the namespace where the ServiceAccount is defined, and NAME is the name of the ServiceAccount.
  • Take the entity name and generate a md5 hash of the string. We will refer to this as the environment variable ENTITY_ID_MD5.
  • Record the name of the tiller namespace in the environment variable TILLER_NAMESPACE.
  • Delete the objects using kubectl: 
kubectl delete rolebinding "$ENTITY_ID_MD5-$ENTITY_ID_MD5-$TILLER_NAMESPACE-tiller-access-binding" -n "$TILLER_NAMESPACE"
kubectl delete role "$ENTITY_ID_MD5-$TILLER_NAMESPACE-tiller-access" -n "$TILLER_NAMESPACE"
kubectl delete secret "tiller-client-$ENTITY_ID_MD5-certs" -n "$TILLER_NAMESPACE"

Special Thanks

Special thanks to @bwhaley for their contribution!

Reference

Check out latest releases or
releases around gruntwork-io/kubergrunt v0.4.0

Don't miss a new kubergrunt release

NewReleases is sending notifications on new releases.

Get notifications