Be able to run flux service accounts with least privilege

[samueltorres]

Is your feature request related to a problem ?

I want to run Flux with MultiTenancy Lockdown enabled. Still that is not enough for the security posture I'm looking for. Mainly because kustomize-controller and helm-controller service accounts have cluster-admin ClusterRoleBinding.

I would like to run Flux with as least privilege as possible, thus I don't want the flux service accounts to become cluster admins.

Describe the solution you'd like.

This would be fixable by adding a flag to the cluster-admin ClusterRoleBinding, the problem is that doing that, Flux wouldn't be able to do service account impersonation due to lack of permissions.

I figured out a way to do it by just adding cluster-reconciler-impersonator ClusterRole to the kustomize-controller and helm-controller.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cluster-reconciler-impersonator
rules:
- apiGroups: [""]
  resources: ["serviceaccounts"]
  verbs: ["impersonate"]

I would add a privileged flag to the multi-tenancy section on flux chart, like:

# -- Both kustomize-controller and helm-controller service accounts run privileged 
# with cluster-admin ClusterRoleBinding. Disable if you want to run them with a 
# minimum set of permissions.
privileged: true

And then give kustomize-controller / helm-controller service accounts the cluster-admin ClusterRoleBinding if Flux runs in privileged mode or give the cluster-reconciler-impersonator ClusterRoleBinding if it runs unprivileged.

I've tested this myself and it works nicely.

Describe alternatives you've considered.

Doing Helm Post Render to remove cluster-admin ClusterRoleBinding and making use of extraObjects to render out the impersonator ClusterRole and ClusterRoleBinding.

Additional context.

No response