From 5ec39ce8bc89b23889a407337a4a2ab871455ef5 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Fri, 4 Feb 2022 21:41:27 +0100
Subject: [PATCH] fix(goharbor): Limit permissions for goharbor helm release

This patch adds a new service-account that is used by flux to deploy
harbor to the namespace. This reduces the risk if the helm chart
contains any malicious objects to be contained in the namespace.
---
 apps/base/goharbor/namespace.yaml | 30 ++++++++++++++++++++++++++++++
 apps/base/goharbor/release.yaml   |  1 +
 2 files changed, 31 insertions(+)

diff --git a/apps/base/goharbor/namespace.yaml b/apps/base/goharbor/namespace.yaml
index 3d1dead49..15df40ed4 100644
--- a/apps/base/goharbor/namespace.yaml
+++ b/apps/base/goharbor/namespace.yaml
@@ -4,3 +4,33 @@ metadata:
   name: goharbor
   labels:
     name: goharbor
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: flux-reconciler
+  namespace: goharbor
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: flux-reconciler
+  namespace: goharbor
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: flux-reconciler
+  namespace: goharbor
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: flux-reconciler
+subjects:
+  - kind: ServiceAccount
+    name: flux-reconciler
+    namespace: goharbor
diff --git a/apps/base/goharbor/release.yaml b/apps/base/goharbor/release.yaml
index 8b7bb65a9..da005c550 100644
--- a/apps/base/goharbor/release.yaml
+++ b/apps/base/goharbor/release.yaml
@@ -4,6 +4,7 @@ metadata:
   name: goharbor
   namespace: goharbor
 spec:
+  serviceAccountName: flux-reconciler
   timeout: 15m
   releaseName: harbor
   chart:
-- 
GitLab