# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######### # GCP Service Account for tier3 # AC-1 - Implementation of access control # AC-3(7), AC-3, AC-16(2) - This service account possesses limited privileges(permissions) and is restricted to performing only the necessary operations for resources within the designated namespace. The service account is associated with the namespace and is assigned roles as required. apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: name: project-id-tier3-sa # kpt-set: ${project-id}-tier3-sa namespace: client-name-config-control # kpt-set: ${client-name}-${management-namespace} annotations: cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} spec: # AC-3(7), AC-3, AC-16(2) resourceID: tier3-sa displayName: tier3-sa --- # Grant GCP role IAM service account admin to GCP SA on Service Project apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: project-id-tier3-sa-serviceaccountadmin-project-id-permissions # kpt-set: ${project-id}-tier3-sa-serviceaccountadmin-${project-id}-permissions namespace: client-name-projects # kpt-set: ${client-name}-projects annotations: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} spec: resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/iam.serviceAccountAdmin member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com --- # Grant GCP role Security Admin to GCP SA on Service Project apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: project-id-tier3-sa-securityadmin-project-id-permissions # kpt-set: ${project-id}-tier3-sa-securityadmin-${project-id}-permissions namespace: client-name-projects # kpt-set: ${client-name}-projects annotations: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} spec: resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/iam.securityAdmin member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com --- # Grant GCP role Tier3 DNS Record Admin to GCP SA on Client DNS Project apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: project-id-tier3-sa-tier3-dnsrecord-admin-dns-project-id-permissions # kpt-set: ${project-id}-tier3-sa-tier3-dnsrecord-admin-${dns-project-id}-permissions namespace: client-name-projects # kpt-set: ${client-name}-projects annotations: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} spec: resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: dns-project-id # kpt-set: ${dns-project-id} # AC-1, AC-3(7), AC-3, AC-16(2) role: organizations/org-id/roles/tier3.dnsrecord.admin # kpt-set: organizations/${org-id}/roles/tier3.dnsrecord.admin member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com --- # Grant GCP role Compute Public IP Admin to tier3-sa GCP SA apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: project-id-tier3-sa-compute-public-ip-admin-project-id-permissions # kpt-set: ${project-id}-tier3-sa-compute-public-ip-admin-${project-id}-permissions namespace: client-name-projects # kpt-set: ${client-name}-projects annotations: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} spec: resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/compute.publicIpAdmin member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com --- # Grant GCP role Compute Security Admin to tier3-sa GCP SA apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: project-id-tier3-sa-compute-security-admin-project-id-permissions # kpt-set: ${project-id}-tier3-sa-compute-security-admin-${project-id}-permissions namespace: client-name-projects # kpt-set: ${client-name}-projects annotations: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} spec: resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} # AC-1, AC-3(7), AC-3, AC-16(2) role: roles/compute.securityAdmin member: "serviceAccount:tier3-sa@project-id.iam.gserviceaccount.com" # kpt-set: serviceAccount:tier3-sa@${project-id}.iam.gserviceaccount.com --- # K8S SA apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPartialPolicy metadata: name: project-id-tier3-sa-workload-identity-binding # kpt-set: ${project-id}-tier3-sa-workload-identity-binding namespace: client-name-config-control # kpt-set: ${client-name}-${management-namespace} annotations: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} spec: resourceRef: name: project-id-tier3-sa # kpt-set: ${project-id}-tier3-sa apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount namespace: client-name-config-control # kpt-set: ${client-name}-${management-namespace} # AC-1, AC-3(7), AC-3, AC-16(2) bindings: - role: roles/iam.workloadIdentityUser members: - member: serviceAccount:management-project-id.svc.id.goog[cnrm-system/cnrm-controller-manager-project-id-tier3] # kpt-set: serviceAccount:${management-project-id}.svc.id.goog[cnrm-system/cnrm-controller-manager-${project-id}-tier3] --- # K8S namespace apiVersion: v1 kind: Namespace metadata: name: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/project-id: project-id # kpt-set: ${project-id} cnrm.cloud.google.com/ignore-clusterless: "true" --- # Link GCP SA to K8S namespace apiVersion: core.cnrm.cloud.google.com/v1beta1 kind: ConfigConnectorContext metadata: name: configconnectorcontext.core.cnrm.cloud.google.com namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 annotations: cnrm.cloud.google.com/ignore-clusterless: "true" config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} spec: # AC-3(7), AC-3, AC-16(2) googleServiceAccount: tier3-sa@project-id.iam.gserviceaccount.com # kpt-set: tier3-sa@${project-id}.iam.gserviceaccount.com --- # Give KCC, for this namespace, permission to read KCC resources in the client-name-projects namespace. # This allows to reference the project resources in the client-name-projects namespace from the tier3 namespace. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cnrm-viewer-project-id-tier3 # kpt-set: cnrm-viewer-${project-id}-tier3 namespace: client-name-projects # kpt-set: ${client-name}-projects annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} # AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - name: cnrm-controller-manager-project-id-tier3 # kpt-set: cnrm-controller-manager-${project-id}-tier3 namespace: cnrm-system kind: ServiceAccount --- # Give KCC, for this namespace, permission to read KCC resources in the client-name-networking namespace. # This allows to reference the network resources in the client-name-networking namespace from the tier3 namespace. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cnrm-viewer-project-id-tier3 # kpt-set: cnrm-viewer-${project-id}-tier3 namespace: client-name-networking # kpt-set: ${client-name}-networking annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} # AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - name: cnrm-controller-manager-project-id-tier3 # kpt-set: cnrm-controller-manager-${project-id}-tier3 namespace: cnrm-system kind: ServiceAccount --- # Give KCC, for this namespace, permission to read KCC resources in the client-name-logging namespace. # This allows to reference the pubsub topic resources in the client-name-logging namespace from the tier3 namespace. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cnrm-viewer-project-id-tier3 # kpt-set: cnrm-viewer-${project-id}-tier3 namespace: client-name-logging # kpt-set: ${client-name}-logging annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} # AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - name: cnrm-controller-manager-project-id-tier3 # kpt-set: cnrm-controller-manager-${project-id}-tier3 namespace: cnrm-system kind: ServiceAccount --- # Give KCC, for this namespace, permission to read KCC resources in the tier4 namespace. apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: cnrm-viewer-project-id-tier3 # kpt-set: cnrm-viewer-${project-id}-tier3 namespace: project-id-tier4 # kpt-set: ${project-id}-tier4 annotations: config.kubernetes.io/depends-on: resourcemanager.cnrm.cloud.google.com/namespaces/client-name-projects/Project/project-id # kpt-set: resourcemanager.cnrm.cloud.google.com/namespaces/${client-name}-projects/Project/${project-id} # AC-1, AC-3(7), AC-3, AC-16(2) roleRef: name: cnrm-viewer kind: ClusterRole apiGroup: rbac.authorization.k8s.io subjects: - name: cnrm-controller-manager-project-id-tier3 # kpt-set: cnrm-controller-manager-${project-id}-tier3 namespace: cnrm-system kind: ServiceAccount --- # Repo sync role binding requirement kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: syncs-repo namespace: project-id-tier3 # kpt-set: ${project-id}-tier3 subjects: - kind: ServiceAccount name: ns-reconciler-project-id-tier3 # kpt-set: ns-reconciler-${project-id}-tier3 namespace: config-management-system # AC-1, AC-3(7), AC-3, AC-16(2) roleRef: kind: ClusterRole name: admin apiGroup: rbac.authorization.k8s.io