Merge pull request #117 from fluxcd/disable-remote-bases

stefanprodan · web-flow · commit 9b02d8364402 · 2023-10-10T15:46:25.000+03:00
Disable Kustomize remote bases
diff --git a/README.md b/README.md
@@ -224,11 +224,14 @@ To enforce tenant isolation, cluster admins must configure Flux to reconcile
 the `Kustomization` and `HelmRelease` kinds by impersonating a service account
 from the namespace where these objects are created. 
 
-[Flux v0.26] introduced built-in [multi-tenancy lockdown] features which enables tenant isolation 
+Flux has built-in [multi-tenancy lockdown] features which enables tenant isolation 
 at Control Plane level without the need of external admission controllers (e.g. Kyverno). The
 recommended patch:
 
 - Enforce controllers to block cross namespace references.
+  Meaning that a tenant can’t use another tenant’s sources or subscribe to their events.
+- Deny accesses to Kustomize remote bases, thus ensuring all resources refer to local files. 
+  Meaning that only approved Flux Sources can affect the cluster-state.
 - Sets a default service account via `--default-service-account` to `kustomize-controller` and `helm-controller`.
   Meaning that, if a tenant does not specify a service account in a Flux `Kustomization` or 
   `HelmRelease`, it would automatically default to said account. 
@@ -243,19 +246,26 @@ This repository applies this patch automatically via
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- gotk-components.yaml
-- gotk-sync.yaml
+  - gotk-components.yaml
+  - gotk-sync.yaml
 patches:
   - patch: |
       - op: add
-        path: /spec/template/spec/containers/0/args/0
+        path: /spec/template/spec/containers/0/args/-
         value: --no-cross-namespace-refs=true
     target:
       kind: Deployment
       name: "(kustomize-controller|helm-controller|notification-controller|image-reflector-controller|image-automation-controller)"
   - patch: |
       - op: add
-        path: /spec/template/spec/containers/0/args/0
+        path: /spec/template/spec/containers/0/args/-
+        value: --no-remote-bases=true
+    target:
+      kind: Deployment
+      name: "kustomize-controller"
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
         value: --default-service-account=default
     target:
       kind: Deployment
@@ -362,7 +372,6 @@ Other policies to explore:
 - For `HelmRepository` and `GitRepository` consider which protocols should be allowed.
 - For `Bucket`, consider restrictions on providers and regions.
 
-
 #### Make serviceAccountName mandatory
 
 The lockdown patch sets a default service account that is applied to any `Kustomization` and `HelmRelease` 
@@ -602,5 +611,4 @@ This repository contains the following GitHub CI workflows:
   and tests the staging setup by running Flux in Kubernetes Kind
 
 
-[Flux v0.26]: https://github.com/fluxcd/flux2/releases/tag/v0.26.0
 [multi-tenancy lockdown]: https://fluxcd.io/flux/installation/configuration/multitenancy/
diff --git a/clusters/production/flux-system/kustomization.yaml b/clusters/production/flux-system/kustomization.yaml
@@ -1,19 +1,26 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- gotk-components.yaml
-- gotk-sync.yaml
+  - gotk-components.yaml
+  - gotk-sync.yaml
 patches:
   - patch: |
       - op: add
-        path: /spec/template/spec/containers/0/args/0
+        path: /spec/template/spec/containers/0/args/-
         value: --no-cross-namespace-refs=true
     target:
       kind: Deployment
       name: "(kustomize-controller|helm-controller|notification-controller|image-reflector-controller|image-automation-controller)"
   - patch: |
       - op: add
-        path: /spec/template/spec/containers/0/args/0
+        path: /spec/template/spec/containers/0/args/-
+        value: --no-remote-bases=true
+    target:
+      kind: Deployment
+      name: "kustomize-controller"
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
         value: --default-service-account=default
     target:
       kind: Deployment
diff --git a/clusters/staging/flux-system/kustomization.yaml b/clusters/staging/flux-system/kustomization.yaml
@@ -1,19 +1,26 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-- gotk-components.yaml
-- gotk-sync.yaml
+  - gotk-components.yaml
+  - gotk-sync.yaml
 patches:
   - patch: |
       - op: add
-        path: /spec/template/spec/containers/0/args/0
+        path: /spec/template/spec/containers/0/args/-
         value: --no-cross-namespace-refs=true
     target:
       kind: Deployment
       name: "(kustomize-controller|helm-controller|notification-controller|image-reflector-controller|image-automation-controller)"
   - patch: |
       - op: add
-        path: /spec/template/spec/containers/0/args/0
+        path: /spec/template/spec/containers/0/args/-
+        value: --no-remote-bases=true
+    target:
+      kind: Deployment
+      name: "kustomize-controller"
+  - patch: |
+      - op: add
+        path: /spec/template/spec/containers/0/args/-
         value: --default-service-account=default
     target:
       kind: Deployment
