K
Q

How to deny view/get operation in openshift via open policy?

12/14/2019

We want to disable oc get/describe for secrets to prevent token login

The current policy prevent create, update, delete but not the viewing of secrets

package admission

import data.k8s.matches

# Deny all user for doing secret ops except policyadmin

deny[query] {
    matches[[resource]]

    not "policyadmin" == resource.userInfo.username
    "Secret" == resource.kind.kind

    msg := sprintf("Custom Unauthorized user: %v", [resource.userInfo.username])

    query = {
        "id": "policy-admin-for-secret-only",
        "resource": {
            "kind": kind,
            "namespace": namespace,
            "name": name
        },
        "resolution": {
            "message": msg
        },
    }
}

The data in the resource object is just:

{\"kind\": {\"group\": \"\", \"kind\": \"Secret\", \"version\": \"v1\"}, \"name\": \"s5-token-n6v6q\", \"namespace\": \"demo\", \"operation\": \"DELETE\", \"resource\": {\"group\": \"\", \"resource\": \"secrets\", \"version\": \"v1\"}, \"uid\": \"748cdab2-1c1d-11ea-8b11-080027f8814d\", \"userInfo\": {\"groups\": [\"system:cluster-admins\", \"system:masters\", \"system:authenticated\"], \"username\": \"system:admin\"}

The example in https://github.com/raffaelespazzoli/openshift-opa/blob/master/examples/authorization-webhooks/unreadable_secrets.rego uses the resource.spec object, but I don't think it's available in my input/AdmissionReview object?

I am using

  • minishift 1.24
  • openshift v3.9.0+2e78773-56
  • kubernetes v1.9.1+a0ce1bc657
  • etcd 3.2.16
-- letthefireflieslive
kubernetes
open-policy-agent
openshift
rego

Similar Questions

unable to docker push images in artifactory
Redirect from IP to domain
What is the best approach to serve high bandwidth traffic with AWS NAT Gateway
Connect to server in another Pod by <pod-name>:<port>
Communication between consul on local VM and consul in Kubernetes
Setting AllowPrivilegeEscalation:false
Scrape CoreDNS metrics with External Prometheus
Data resistance on Kafka topic on GCP pod failure
Skaffold dev fails
Import error when deploying Flask application to Kubernetes (GCP)

1 Answer

12/17/2019

Admission control in Kubernetes does NOT let you control a get. It only lets you control create, update, delete, and connect. The API docs for the validating webhook and its descendent RuleWithOperations (no handy link) don't make this clear, but the docs introducing API access state it explicitly.

To control get, you need to use authorization. You could use RBAC to restrict who can get any of the Secrets. To use OPA for authorization you would need the authorization webhook mode.

In Andrew's code that you link to, he is using an authorization webhook--not an admission control webhook. That's why some of the data he is using from input isn't the same as what you see from an admission control webhook. Taking a quick look at his writeup, it seems you need to follow his instructions to Enable Authorization.

-- Tim Hinrichs
Source: StackOverflow