From 30e04a10c686c7b488b96eecc59c87c447745220 Mon Sep 17 00:00:00 2001 From: Andrew Stoltz <1578013+astoltz@users.noreply.github.com> Date: Thu, 18 Jun 2026 15:05:43 -0500 Subject: [PATCH] security(guacamole): scope guacd Kubernetes exec RBAC --- apps/guacamole/guacamole.yaml | 280 +++++++++++++++++++++++++++++++++- 1 file changed, 272 insertions(+), 8 deletions(-) diff --git a/apps/guacamole/guacamole.yaml b/apps/guacamole/guacamole.yaml index d9b6933..7437440 100644 --- a/apps/guacamole/guacamole.yaml +++ b/apps/guacamole/guacamole.yaml @@ -225,8 +225,7 @@ spec: - "--port=8001" - "--address=127.0.0.1" - "--accept-hosts=.*" - - "--accept-paths=.*" - - "--disable-filter=true" + - "--accept-paths=^/api/v1/namespaces/(argocd|gitea|telephony|traefik-system|zabbix|matrix|irc|mail|selenium)/pods(/[^/]+(/(exec|attach))?)?$" - "--v=2" resources: requests: @@ -526,10 +525,13 @@ metadata: name: guacd-exec namespace: guacamole --- +# Namespace-scoped exec/list rights for the Kubernetes protocol and sync job. +# Keep this allowlist in lockstep with TARGET_NAMESPACES below. apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: guacd-pod-exec + namespace: argocd labels: app.kubernetes.io/component: proxy app.kubernetes.io/name: guacd @@ -540,20 +542,282 @@ rules: - apiGroups: [""] resources: ["pods/exec", "pods/attach"] verbs: ["create", "get"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["list", "get"] --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: RoleBinding metadata: name: guacd-pod-exec + namespace: argocd labels: app.kubernetes.io/component: proxy app.kubernetes.io/name: guacd roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: Role + name: guacd-pod-exec +subjects: + - kind: ServiceAccount + name: guacd-exec + namespace: guacamole +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: guacd-pod-exec + namespace: gitea + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["pods/exec", "pods/attach"] + verbs: ["create", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: guacd-pod-exec + namespace: gitea + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: guacd-pod-exec +subjects: + - kind: ServiceAccount + name: guacd-exec + namespace: guacamole +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: guacd-pod-exec + namespace: telephony + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["pods/exec", "pods/attach"] + verbs: ["create", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: guacd-pod-exec + namespace: telephony + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: guacd-pod-exec +subjects: + - kind: ServiceAccount + name: guacd-exec + namespace: guacamole +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: guacd-pod-exec + namespace: traefik-system + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["pods/exec", "pods/attach"] + verbs: ["create", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: guacd-pod-exec + namespace: traefik-system + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: guacd-pod-exec +subjects: + - kind: ServiceAccount + name: guacd-exec + namespace: guacamole +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: guacd-pod-exec + namespace: zabbix + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["pods/exec", "pods/attach"] + verbs: ["create", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: guacd-pod-exec + namespace: zabbix + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: guacd-pod-exec +subjects: + - kind: ServiceAccount + name: guacd-exec + namespace: guacamole +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: guacd-pod-exec + namespace: matrix + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["pods/exec", "pods/attach"] + verbs: ["create", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: guacd-pod-exec + namespace: matrix + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: guacd-pod-exec +subjects: + - kind: ServiceAccount + name: guacd-exec + namespace: guacamole +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: guacd-pod-exec + namespace: irc + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["pods/exec", "pods/attach"] + verbs: ["create", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: guacd-pod-exec + namespace: irc + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: guacd-pod-exec +subjects: + - kind: ServiceAccount + name: guacd-exec + namespace: guacamole +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: guacd-pod-exec + namespace: mail + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["pods/exec", "pods/attach"] + verbs: ["create", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: guacd-pod-exec + namespace: mail + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: guacd-pod-exec +subjects: + - kind: ServiceAccount + name: guacd-exec + namespace: guacamole +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: guacd-pod-exec + namespace: selenium + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["pods/exec", "pods/attach"] + verbs: ["create", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: guacd-pod-exec + namespace: selenium + labels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: guacd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role name: guacd-pod-exec subjects: - kind: ServiceAccount