bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 15 Actions Packages Projects Releases Wiki Activity

security(guacamole): scope guacd Kubernetes exec RBAC

Browse Source
This commit is contained in:
Andrew Stoltz
2026-06-18 15:05:43 -05:00
parent fc24102fb9
commit 30e04a10c6
1 changed files with 272 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

280
apps/guacamole/guacamole.yaml
View File

@@ -225,8 +225,7 @@ spec:
- "--port=8001"
- "--address=127.0.0.1"
- "--accept-hosts=.*"
- "--accept-paths=.*"
- "--disable-filter=true"
- "--accept-paths=^/api/v1/namespaces/(argocd|gitea|telephony|traefik-system|zabbix|matrix|irc|mail|selenium)/pods(/[^/]+(/(exec|attach))?)?$"
- "--v=2"
resources:
requests:
@@ -526,10 +525,13 @@ metadata:
name: guacd-exec
namespace: guacamole
---
# Namespace-scoped exec/list rights for the Kubernetes protocol and sync job.
# Keep this allowlist in lockstep with TARGET_NAMESPACES below.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
kind: Role
metadata:
name: guacd-pod-exec
namespace: argocd
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
@@ -540,20 +542,282 @@ rules:
- apiGroups: [""]
resources: ["pods/exec", "pods/attach"]
verbs: ["create", "get"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["list", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
kind: RoleBinding
metadata:
name: guacd-pod-exec
namespace: argocd
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
kind: Role
name: guacd-pod-exec
subjects:
- kind: ServiceAccount
name: guacd-exec
namespace: guacamole
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: guacd-pod-exec
namespace: gitea
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec", "pods/attach"]
verbs: ["create", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: guacd-pod-exec
namespace: gitea
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: guacd-pod-exec
subjects:
- kind: ServiceAccount
name: guacd-exec
namespace: guacamole
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: guacd-pod-exec
namespace: telephony
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec", "pods/attach"]
verbs: ["create", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: guacd-pod-exec
namespace: telephony
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: guacd-pod-exec
subjects:
- kind: ServiceAccount
name: guacd-exec
namespace: guacamole
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: guacd-pod-exec
namespace: traefik-system
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec", "pods/attach"]
verbs: ["create", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: guacd-pod-exec
namespace: traefik-system
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: guacd-pod-exec
subjects:
- kind: ServiceAccount
name: guacd-exec
namespace: guacamole
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: guacd-pod-exec
namespace: zabbix
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec", "pods/attach"]
verbs: ["create", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: guacd-pod-exec
namespace: zabbix
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: guacd-pod-exec
subjects:
- kind: ServiceAccount
name: guacd-exec
namespace: guacamole
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: guacd-pod-exec
namespace: matrix
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec", "pods/attach"]
verbs: ["create", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: guacd-pod-exec
namespace: matrix
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: guacd-pod-exec
subjects:
- kind: ServiceAccount
name: guacd-exec
namespace: guacamole
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: guacd-pod-exec
namespace: irc
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec", "pods/attach"]
verbs: ["create", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: guacd-pod-exec
namespace: irc
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: guacd-pod-exec
subjects:
- kind: ServiceAccount
name: guacd-exec
namespace: guacamole
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: guacd-pod-exec
namespace: mail
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec", "pods/attach"]
verbs: ["create", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: guacd-pod-exec
namespace: mail
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: guacd-pod-exec
subjects:
- kind: ServiceAccount
name: guacd-exec
namespace: guacamole
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: guacd-pod-exec
namespace: selenium
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec", "pods/attach"]
verbs: ["create", "get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: guacd-pod-exec
namespace: selenium
labels:
app.kubernetes.io/component: proxy
app.kubernetes.io/name: guacd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: guacd-pod-exec
subjects:
- kind: ServiceAccount