bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

security(agent-zero): replace cluster-admin with least-privilege read-only RBAC (SEC-6/RBAC-001)

Browse Source 
agent-zero is an LLM agent; cluster-admin let raw kubectl bypass the MCP layer to
read every Secret / exec any pod. Swap for a read-only ClusterRole (no secrets/
configmaps/exec/writes) so sensitive + mutating actions go through gated MCP tools.
Already applied live + verified (secrets/exec/write -> Forbidden, observe stays);
this makes it durable so ArgoCD selfHeal doesn't revert to cluster-admin.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Andrew Stoltz
2026-06-17 11:28:19 -05:00
parent e4e03643a4
commit 191eb91642
1 changed files with 35 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
apps/agent-zero/agent-zero.yaml
View File

@@ -76,14 +76,47 @@ metadata:
namespace: agent-zero namespace: agent-zero
--- ---
# SEC-6 / audit RBAC-001: agent-zero is an LLM agent — cluster-admin let raw
# kubectl BYPASS the MCP layer to read every Secret / exec any pod. Scoped to
# read-only (no secrets/configmaps/exec/writes) so sensitive + mutating actions
# must go through the gated MCP tools (the operator's intended boundary).
# Detail: FlowerCore.Notes docs/security/sec-6-agent-zero-rbac-remediation.md.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: agent-zero-readonly
labels:
flowercore.io/sec-lane: SEC-6
rules:
- apiGroups: [""]
resources: ["pods", "pods/log", "services", "endpoints", "events", "namespaces", "nodes", "persistentvolumeclaims", "replicationcontrollers", "serviceaccounts"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "statefulsets", "daemonsets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "networkpolicies"]
verbs: ["get", "list", "watch"]
- apiGroups: ["traefik.io", "traefik.containo.us"]
resources: ["ingressroutes", "middlewares"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: agent-zero-cluster-admin name: agent-zero-readonly
labels:
flowercore.io/sec-lane: SEC-6
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: ClusterRole kind: ClusterRole
name: cluster-admin name: agent-zero-readonly
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: agent-zero name: agent-zero