headlamp-sealed-secrets-plugin/docs/user-guide/rbac-permissions.md

# RBAC Permissions Guide

Configure Role-Based Access Control for Sealed Secrets operations.

## Overview

The Headlamp Sealed Secrets plugin integrates with Kubernetes RBAC to control:
- Who can **view** SealedSecrets
- Who can **create** SealedSecrets
- Who can **delete** SealedSecrets
- Who can **view unsealed Secrets**
- Who can **download sealing certificates**

The plugin automatically checks permissions and hides/disables UI elements based on your RBAC roles.

## Required Permissions

### Minimum Read-Only Access

To **view** sealed secrets in Headlamp:

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sealed-secrets-viewer
rules:
# View SealedSecrets
- apiGroups: ["bitnami.com"]
  resources: ["sealedsecrets"]
  verbs: ["get", "list"]

# View namespaces (for filtering)
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list"]
```

**What you can do:**
- ✅ List all sealed secrets
- ✅ View sealed secret details
- ✅ See encrypted data (safe to view)
- ❌ Create new sealed secrets
- ❌ Delete sealed secrets
- ❌ View unsealed secret values

### Creator Access

To **create** sealed secrets:

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sealed-secrets-creator
rules:
# Create and view SealedSecrets
- apiGroups: ["bitnami.com"]
  resources: ["sealedsecrets"]
  verbs: ["get", "list", "create"]

# Download sealing certificates
- apiGroups: [""]
  resources: ["services/proxy"]
  verbs: ["get"]
  resourceNames: ["sealed-secrets-controller"]

# Or direct service access
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get"]
  resourceNames: ["sealed-secrets-controller"]

# View namespaces
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list"]
```

**What you can do:**
- ✅ Everything from viewer role
- ✅ Create new sealed secrets
- ✅ Download sealing certificates
- ❌ Delete sealed secrets
- ❌ View unsealed secret values

### Full Access

To have **complete control** over sealed secrets:

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sealed-secrets-admin
rules:
# Full SealedSecret access
- apiGroups: ["bitnami.com"]
  resources: ["sealedsecrets"]
  verbs: ["get", "list", "create", "update", "patch", "delete"]

# View unsealed Secrets
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list"]

# Access controller
- apiGroups: [""]
  resources: ["services", "services/proxy"]
  verbs: ["get"]

# View namespaces
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list"]
```

**What you can do:**
- ✅ Everything from creator role
- ✅ Delete sealed secrets
- ✅ View unsealed secret values (decrypt)
- ✅ Update sealed secrets

## Example RBAC Configurations

### Example 1: Development Team (Namespace-Scoped)

Allow developers to manage sealed secrets in their namespace:

```yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dev-team-sealed-secrets
  namespace: development
rules:
- apiGroups: ["bitnami.com"]
  resources: ["sealedsecrets"]
  verbs: ["get", "list", "create", "delete"]

- apiGroups: [""]
  resources: ["services"]
  verbs: ["get"]
  resourceNames: ["sealed-secrets-controller"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-team-sealed-secrets
  namespace: development
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev-team-sealed-secrets
subjects:
- kind: Group
  name: developers
  apiGroup: rbac.authorization.k8s.io
```

### Example 2: Platform Team (Cluster-Wide)

Allow platform team to manage all sealed secrets:

```yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: platform-sealed-secrets
rules:
- apiGroups: ["bitnami.com"]
  resources: ["sealedsecrets"]
  verbs: ["*"]

- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list"]

- apiGroups: [""]
  resources: ["services", "services/proxy"]
  verbs: ["get"]

- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: platform-sealed-secrets
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: platform-sealed-secrets
subjects:
- kind: Group
  name: platform-team
  apiGroup: rbac.authorization.k8s.io
```

### Example 3: Read-Only Auditor

Allow security team to audit sealed secrets without modification:

```yaml
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sealed-secrets-auditor
rules:
- apiGroups: ["bitnami.com"]
  resources: ["sealedsecrets"]
  verbs: ["get", "list"]

- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list"]

- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: security-team-auditor
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: sealed-secrets-auditor
subjects:
- kind: Group
  name: security-auditors
  apiGroup: rbac.authorization.k8s.io
```

### Example 4: CI/CD Service Account

Allow automated systems to create sealed secrets:

```yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ci-cd-sealed-secrets
  namespace: ci-cd

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ci-cd-sealed-secrets-creator
rules:
- apiGroups: ["bitnami.com"]
  resources: ["sealedsecrets"]
  verbs: ["create", "get", "list"]

- apiGroups: [""]
  resources: ["services"]
  verbs: ["get"]
  resourceNames: ["sealed-secrets-controller"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ci-cd-sealed-secrets
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ci-cd-sealed-secrets-creator
subjects:
- kind: ServiceAccount
  name: ci-cd-sealed-secrets
  namespace: ci-cd
```

## Plugin UI Behavior

The plugin automatically adjusts the UI based on permissions:

### With Full Permissions
- ✅ "Create Sealed Secret" button visible
- ✅ "Delete" button visible on details page
- ✅ "Decrypt" button visible (if Secret access granted)
- ✅ Download sealing certificates

### With Read-Only Permissions
- ❌ "Create Sealed Secret" button hidden
- ❌ "Delete" button hidden/disabled
- ❌ "Decrypt" button hidden
- ❌ Download button hidden/disabled

### Testing Permissions

The plugin uses Kubernetes `SelfSubjectAccessReview` to check permissions in real-time.

You can test manually:

```bash
# Check if you can create SealedSecrets
kubectl auth can-i create sealedsecrets.bitnami.com

# Check if you can list SealedSecrets
kubectl auth can-i list sealedsecrets.bitnami.com

# Check if you can view Secrets (for decryption)
kubectl auth can-i get secrets

# Check in specific namespace
kubectl auth can-i create sealedsecrets.bitnami.com -n production
```

## Common Permission Issues

### Issue 1: "Create Sealed Secret" Button Not Showing

**Cause**: Missing `create` permission for SealedSecrets.

**Solution**:
```yaml
rules:
- apiGroups: ["bitnami.com"]
  resources: ["sealedsecrets"]
  verbs: ["create"]  # Add this verb
```

### Issue 2: Cannot Download Sealing Certificates

**Cause**: Missing service access permission.

**Solution**:
```yaml
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get"]
  resourceNames: ["sealed-secrets-controller"]
```

Or for proxy access:
```yaml
rules:
- apiGroups: [""]
  resources: ["services/proxy"]
  verbs: ["get", "create"]
```

### Issue 3: "Decrypt" Button Not Showing

**Cause**: Missing `get` permission for Secrets.

**Solution**:
```yaml
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]  # Required for decryption
```

### Issue 4: Cannot See SealedSecrets in Other Namespaces

**Cause**: Using `Role` instead of `ClusterRole`, or missing namespace list permission.

**Solution**: Use `ClusterRole` and `ClusterRoleBinding`:
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole  # Not Role
metadata:
  name: sealed-secrets-viewer
rules:
- apiGroups: ["bitnami.com"]
  resources: ["sealedsecrets"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list"]  # Required
```

## Security Best Practices

### 1. Principle of Least Privilege

Only grant the minimum permissions needed:

```yaml
# Good: Namespace-scoped for dev team
kind: Role
metadata:
  namespace: dev-team-namespace

# Risky: Cluster-wide for dev team
kind: ClusterRole  # Only if truly needed
```

### 2. Separate Secret Access

Don't grant Secret access unless absolutely necessary:

```yaml
# ✅ Good: Can create SealedSecrets but not view Secrets
- apiGroups: ["bitnami.com"]
  resources: ["sealedsecrets"]
  verbs: ["create"]

# ❌ Risky: Can view unsealed Secrets
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list"]  # Only for authorized users
```

### 3. Use Groups, Not Individual Users

```yaml
# ✅ Good: Use groups
subjects:
- kind: Group
  name: developers

# ❌ Harder to maintain: Individual users
subjects:
- kind: User
  name: alice
- kind: User
  name: bob
```

### 4. Audit RBAC Changes

```bash
# List all ClusterRoleBindings for SealedSecrets
kubectl get clusterrolebindings -o json | \
  jq '.items[] | select(.roleRef.name | contains("sealed-secrets"))'

# List all RoleBindings in a namespace
kubectl get rolebindings -n production -o yaml
```

## Troubleshooting Commands

```bash
# 1. Check your current permissions
kubectl auth can-i --list

# 2. Check specific permission
kubectl auth can-i create sealedsecrets.bitnami.com -n production

# 3. Check as another user (requires admin)
kubectl auth can-i create sealedsecrets --as alice --as-group developers

# 4. View your roles
kubectl get rolebindings,clusterrolebindings --all-namespaces -o wide | grep $(kubectl auth whoami)

# 5. Describe a role
kubectl describe clusterrole sealed-secrets-creator
```

## Next Steps

- **[Creating Secrets](creating-secrets.md)** - Create your first sealed secret
- **[Scopes Explained](scopes-explained.md)** - Understand security scopes
- **[Security Hardening](../deployment/security-hardening.md)** - Production security guide

## Resources

- [Kubernetes RBAC Documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
- [SelfSubjectAccessReview API](https://kubernetes.io/docs/reference/access-authn-authz/authorization/#checking-api-access)
- [Best Practices for RBAC](https://kubernetes.io/docs/concepts/security/rbac-good-practices/)