Minimize GCP permissions needed by the operator

CrowdStrike · Nov 18, 2021 · e572d06 · e572d06
1 parent 2d66e1a
commit e572d06
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/docs/deployment/gke/gcp-role.yaml b/docs/deployment/gke/gcp-role.yaml
@@ -0,0 +1,9 @@
+title: "Falcon Operator Container Push Agent"
+description: "Role that enables pushing to GCR"
+stage: "ALPHA"
+includedPermissions:
+- storage.buckets.get
+- storage.objects.create
+- storage.objects.delete
+- storage.objects.get
+- storage.objects.list
diff --git a/docs/deployment/gke/run b/docs/deployment/gke/run
@@ -82,13 +82,20 @@ kubectl create ns $FALCON_SYSTEM_CONFIGURE --dry-run=client -o yaml | kubectl ap
 GCP_PROJECT_ID=$(gcloud config get-value core/project)
 
 if ! kubectl get secret builder -n $FALCON_SYSTEM_CONFIGURE > /dev/null 2>&1; then
+    GCP_ROLE_NAME=falconOperatorPush
     if ! gcloud iam service-accounts describe falcon-operator@$GCP_PROJECT_ID.iam.gserviceaccount.com > /dev/null 2>&1 ; then
+
+        if ! gcloud iam roles describe "$GCP_ROLE_NAME" --project "$GCP_PROJECT_ID" > /dev/null 2>&1; then
+            gcloud iam roles create "$GCP_ROLE_NAME" --project="$GC_PROJECT_ID" \
+                   --file=
+        fi
+
         gcloud iam service-accounts create falcon-operator
     fi
 
     gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
         --member serviceAccount:falcon-operator@$GCP_PROJECT_ID.iam.gserviceaccount.com \
-        --role roles/storage.admin
+        --role roles/"$GCP_ROLE_NAME"
 
     gcloud iam service-accounts keys create \
         --iam-account "falcon-operator@$GCP_PROJECT_ID.iam.gserviceaccount.com" \