Kubernetes Runner - Deployments to Kubernetes

justinhauer · July 8, 2020, 12:12pm

Background:

I have Drone and Drone kubernetes Runner deployed into my kube cluster via the latest helm charts. I am using a custom plugin to deploy to kube based off of https://github.com/komljen/drone-kubectl-helm.

What is the problem:

For anyone that uses the plugin, they deploy the following k8s rolebinding and service account in order for the plugin to deploy to that given namespace:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: drone-user
  namespace: [namespace]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: drone-user
  namespace: [namespace]
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: user
subjects:
- kind: ServiceAccount
  name: drone-user
  namespace: [namespace]

Unfortunately, the plugin seems to pick up the service account that Drone-Kubernetes-Runner uses which allows it to deploy to ANY namespace and perform actions that may not be desired.I dont want that. I just want the person using the plugin to be able to deploy to their given namespace. The credentials to deploy use secrets created from drone cli: (1) kube-api-server (2) kubernetes-token (3) kubernetes-cert

What I’m asking for help on:

Are there others that have run into similar problems?
How do I overcome this?
Are there other kube-plugins that you know of that resolve this (on plugins.drone.io there are about 5 kube plugins listed)

P.S. - There doesn’t seem to be any commented out notes regarding this on the helm chart for the deployment.

justinhauer · July 9, 2020, 1:36pm

@ashwilliams1 You’ve been very helpful on the kube questions previously, do you have any ideas?

ashwilliams1 · July 9, 2020, 2:04pm

I cannot really advise on third party plugins, but I definitely would avoid a third party plugin that requires granting your pipelines cluster admin privileges.

justinhauer · July 9, 2020, 2:08pm

Understood they’re 3rd party plugins. What would you recommend then, as a way to deploy workloads to kube to hopefully mitigate this? My previously deploy of drone on Docker didn’t experience this.

ashwilliams1 · July 9, 2020, 2:12pm

I do not use kubernetes personally, so I cannot really advise on which third party plugins or approaches to use. I would recommend evaluating one of the other third party plugins, since based on your description, komljen/drone-kubectl-helm does not seem to meet your security requirements.

Alternatively, you do not need to use a plugin. I believe most plugins are just thin wrappers around kubectl, so you can probably just run kubectl commands directly in a pipeline step. Or you can even create your own plugin that wraps the exact kubectl commands that you need.