Remove RBAC permission from ASM plugin #422
Description
The ASM plugin currently has four Kubernetes API permissions that are all cluster-scoped (not node-scoped), and could benefit from paring them down by making certain ones optional or removing them altogether. Ideally, the ASM plugin would not require any permissions of its own from Kubernetes or AWS, so that the principal of least permissions is followed.
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get"]- Use CSI TokenRequest for obtaining service account tokens #400 references how ASM could leverage TokenRequest to get tokens via the Kubelet
GETonserviceaccountsis used for IRSA-based auth to get a pod's IAM role via an annotation. For installations using EKS Pod Identity, this can be removed (you could use a condition in the helm chart template to make this optional)- For listing Pods and Nodes, it looks like thats only done for getting the AWS region. It'd be great if this could be provided by a Helm Chart environment variable in the short term. Longer term, if/when Kubernetes adds support for node labels to the Downward API, that could just be injected into the pod without any user input.
Its worth noting that Kubelet today has permissions to list all pods (but not nodes), but this permission is going to be restricted in future versions of Kubernetes to only allow a node to list the pods running on it.