Skip to content

CmdrSharp/kufefe

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits

.github/workflows

.github/workflows

 
 

charts/kufefe

charts/kufefe

 
 

src

src

 
 

.gitignore

.gitignore

 
 

Cargo.lock

Cargo.lock

 
 

Cargo.toml

Cargo.toml

 
 

Dockerfile

Dockerfile

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

rustfmt.toml

rustfmt.toml

 
 

set-app-version.sh

set-app-version.sh

 
 

Repository files navigation

Kufefe - Ephemeral Kubeconfig Generator

Kufefe lets you generate kubeconfig files that are;

  • Ephemeral - because giving out the cluster kubeconfig is dangerous as it never expires
  • Scoped - allowing you to limit access to only what is required

It runs inside your cluster and scans for new cluster-scoped Requests. Related resources (the ServiceAccount, Secret and ClusterRoleBinding) are automatically deleted through their ownerReference to the Request. For resources that are namespaced, they will always be created in the deployment namespace.

Kufefe currently supports Kubernetes version 1.25 and up.

Installation

Installation is done via Helm. Only a few values need to be set. Kufefe does not expose a service (and does not need to) - it runs as a single pod and consumes very little in terms of resources.

helm repo add kufefe https://cmdrsharp.github.io/kufefe
helm install kufefe kufefe/kufefe

See values.yaml for a comprehensive list of values that can be set. For many cluster types, you will need to set kufefe.clusterUrl to the API Address of your Kubernetes Cluster.

Request CRD

The Request CRD a simple cluster-scoped resource where you specify which ClusterRole you want the request to be tied to. A request will look something like this:

apiVersion: "kufefe.io/v1"
kind: Request
metadata:
  name: i-need-a-kubeconfig
spec:
  role: my-cluster-role # See note below on roles!

Shortly upon creating this Request, you should see that it is marked Ready.

❯ kubectl get req
NAME                  READY   AGE
i-need-a-kubeconfig   true    2s

You can now get the kubeconfig:

❯ kubectl get req i-need-a-kubeconfig -o=jsonpath='{.status.kubeconfig}'

Privilege Escalation & Role Aggregation

Kufefe's own RBAC is set up using aggregated cluster roles with the label rbac.authorization.k8s.io/aggregate-kufefe: "true".

In order for Kufefe to be allowed to create Service Accounts that bind to other roles, there are two prerequisites:

  1. The role must be annotated with kufefe.io/role: "true". If it is not, Kufefe will not create an SA bound to that role.
  2. Kufefe itself must be allowed to bind to the role it is trying to create an SA for. This a Kubernetes mechanism to prevent privilege escalation.

For scenario two, let's say you have a ClusterRole called debug. In order for Kufefe to be allowed to create SA's bound to this role, you would create a ClusterRole like this:

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: kufefe:rbac:bind:debug
  labels:
    rbac.authorization.k8s.io/aggregate-kufefe: "true"
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles"]
  verbs: ["bind"]
  resourceNames: ["debug"] # Leave out to allow binding to ANY ClusterRole. Not recommended.

With this role created, Kufefe will now be allowed to create the ServiceAccount tied to the debug role.

About

A tool to generate short-lived service accounts and kubeconfigs

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

kufefe-1.0.1 Latest
Jun 8, 2023
+ 1 release

Packages

No packages published

Languages