fix(goharbor): Limit permissions for goharbor helm release

This patch adds a new service-account that is used by flux to deploy harbor to the namespace. This reduces the risk if the helm chart contains any malicious objects to be contained in the namespace.

fix(goharbor): Limit permissions for goharbor helm release
5ec39ce8 · Sheogorath · 8bd381fd · 5ec39ce8 · 5ec39ce8
Verified Commit 5ec39ce8 authored 3 years ago by Sheogorath
--- a/apps/base/goharbor/namespace.yaml
+++ b/apps/base/goharbor/namespace.yaml
@@ -4,3 +4,33 @@ metadata:
  name: goharbor
  labels:
    name: goharbor
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: flux-reconciler
+  namespace: goharbor
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: flux-reconciler
+  namespace: goharbor
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: flux-reconciler
+  namespace: goharbor
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: flux-reconciler
+subjects:
+  - kind: ServiceAccount
+    name: flux-reconciler
+    namespace: goharbor
--- a/apps/base/goharbor/release.yaml
+++ b/apps/base/goharbor/release.yaml
@@ -4,6 +4,7 @@ metadata:
  name: goharbor
  namespace: goharbor
 spec:
+  serviceAccountName: flux-reconciler
  timeout: 15m
  releaseName: harbor
  chart: