Stackbooster.io

Appearance

Permissions Management

Managing permissions correctly is critical to maintaining security while enabling Stackbooster.io to optimize your Kubernetes infrastructure. This guide explains the permission models, implementation strategies, and best practices for both AWS and Kubernetes permissions.

AWS Permissions Model

Stackbooster.io requires specific AWS permissions to analyze and optimize your infrastructure effectively.

Required Permission Sets

Our platform utilizes the following permission categories:

Read-Only Permissions

These permissions allow us to gather information without making changes:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*",
        "eks:Describe*",
        "eks:List*",
        "cloudwatch:GetMetricData",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "autoscaling:Describe*",
        "pricing:GetProducts"
      ],
      "Resource": "*"
    }
  ]
}

Write Permissions (Optional)

These permissions enable active optimization features:

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:UpdateAutoScalingGroup",
        "autoscaling:SetDesiredCapacity",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "eks:UpdateNodegroupConfig"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/Stackbooster-Managed": "true"
        }
      }
    }
  ]
}

Permission Scoping Strategies

You can limit the scope of Stackbooster.io's permissions using several strategies:

Resource Tags

Limit permissions to resources with specific tags:

json
{
  "Condition": {
    "StringEquals": {
      "aws:ResourceTag/Stackbooster-Managed": "true"
    }
  }
}

Resource ARN Patterns

Restrict access to specific resources by ARN patterns:

json
{
  "Resource": [
    "arn:aws:eks:*:*:cluster/prod-*",
    "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/eks-*"
  ]
}

Regional Restrictions

Limit permissions to specific AWS regions:

json
{
  "Condition": {
    "StringEquals": {
      "aws:RequestedRegion": ["us-east-1", "eu-west-1"]
    }
  }
}

Kubernetes Permissions Model

Stackbooster.io's Kubernetes agent requires specific RBAC permissions to monitor and optimize your clusters.

Agent Service Account

The Stackbooster.io agent operates using a dedicated service account with the following permissions:

Read-Only Permissions (Default)

yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: stackbooster-read-only
rules:
- apiGroups: [""]
  resources: ["nodes", "pods", "services", "namespaces"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets", "statefulsets"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metrics.k8s.io"]
  resources: ["nodes", "pods"]
  verbs: ["get", "list", "watch"]

Optimization Permissions (Optional)

yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: stackbooster-optimizer
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["apps"]
  resources: ["deployments", "statefulsets"]
  verbs: ["get", "list", "watch", "patch", "update"]

Namespace-Scoped Permissions

For environments requiring strict isolation, you can limit the agent's permissions to specific namespaces:

yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: stackbooster-optimizer
  namespace: production
subjects:
- kind: ServiceAccount
  name: stackbooster-agent
  namespace: stackbooster-system
roleRef:
  kind: Role
  name: stackbooster-namespace-optimizer
  apiGroup: rbac.authorization.k8s.io

Permission Implementation Process

Setting Up AWS Permissions

  1. Create IAM Policy:

    • Use the CloudFormation template provided by Stackbooster.io
    • Alternatively, manually create a policy with the required permissions
    • Add appropriate condition statements for your security requirements

  2. Create IAM Role:

    • Create a new role with AWS account trust relationship
    • Enter the Stackbooster.io account ID and external ID
    • Attach the created policy to the role
    • Note the Role ARN for configuration in Stackbooster.io

  3. Configure in Stackbooster.io:

    • Enter the Role ARN in your Stackbooster.io account settings
    • Verify the connection with the provided test functionality
    • Configure permission scope boundaries if needed

Setting Up Kubernetes Permissions

  1. Apply RBAC Manifests:

    • Review the RBAC manifests provided by Stackbooster.io
    • Modify as needed for your security requirements
    • Apply using kubectl apply -f stackbooster-rbac.yaml

  2. Verify Service Account:

    • Ensure the service account is created in the correct namespace
    • Verify the correct roles are bound to the service account
    • Check that the agent pod can access necessary resources

  3. Configure Access Scope:

    • Decide if agent should have cluster-wide or namespace-scoped access
    • Apply appropriate RoleBindings for namespace-scoped access
    • Document all permissions granted for future auditing

Permission Auditing and Monitoring

Regular AWS Permission Reviews

  1. Schedule quarterly reviews of the IAM policies and roles
  2. Use AWS IAM Access Analyzer to identify unused permissions
  3. Monitor CloudTrail logs for actions taken using the Stackbooster.io role

Kubernetes RBAC Auditing

  1. Use tools like kubectl auth can-i to test service account permissions
  2. Review Kubernetes audit logs for actions taken by the agent
  3. Implement Kubernetes RBAC visualizers for better oversight

Permission Lifecycle Management

Handling Permission Changes

When Stackbooster.io requires permission updates:

  1. Review the requested changes and their security implications
  2. Test changes in a non-production environment first
  3. Update policies using infrastructure-as-code when possible
  4. Document all permission changes in your security registry

Revoking Access

When you need to revoke Stackbooster.io's access:

  1. Delete the IAM role or remove the trust relationship
  2. Remove the Kubernetes RBAC bindings for the agent
  3. Delete the agent service account and pods
  4. Document the access removal in your security registry

Best Practices

  • Start with minimum permissions and add more as needed
  • Use infrastructure-as-code to manage permission configurations
  • Version control all permission definitions
  • Regularly audit actual permissions against documented requirements
  • Test permission boundaries with security scenarios
  • Implement permission guardrails using SCPs in AWS Organizations
  • Document permission decisions and their justifications

By following these practices, you'll maintain a secure environment while allowing Stackbooster.io to effectively optimize your Kubernetes infrastructure costs.

Released under the MIT License. Contact us at [email protected]

Copyright © 2025-present Stackbooster.io