We want to disable oc get/describe
for secrets
to prevent token login
The current policy prevent create, update, delete but not the viewing of secrets
package admission
import data.k8s.matches
# Deny all user for doing secret ops except policyadmin
deny[query] {
matches[[resource]]
not "policyadmin" == resource.userInfo.username
"Secret" == resource.kind.kind
msg := sprintf("Custom Unauthorized user: %v", [resource.userInfo.username])
query = {
"id": "policy-admin-for-secret-only",
"resource": {
"kind": kind,
"namespace": namespace,
"name": name
},
"resolution": {
"message": msg
},
}
}
The data in the resource object is just:
{\"kind\": {\"group\": \"\", \"kind\": \"Secret\", \"version\": \"v1\"}, \"name\": \"s5-token-n6v6q\", \"namespace\": \"demo\", \"operation\": \"DELETE\", \"resource\": {\"group\": \"\", \"resource\": \"secrets\", \"version\": \"v1\"}, \"uid\": \"748cdab2-1c1d-11ea-8b11-080027f8814d\", \"userInfo\": {\"groups\": [\"system:cluster-admins\", \"system:masters\", \"system:authenticated\"], \"username\": \"system:admin\"}
The example in https://github.com/raffaelespazzoli/openshift-opa/blob/master/examples/authorization-webhooks/unreadable_secrets.rego uses the resource.spec object, but I don't think it's available in my input/AdmissionReview
object?
I am using
Admission control in Kubernetes does NOT let you control a get
. It only lets you control create
, update
, delete
, and connect
. The API docs for the validating webhook and its descendent RuleWithOperations (no handy link) don't make this clear, but the docs introducing API access state it explicitly.
To control get
, you need to use authorization. You could use RBAC to restrict who can get
any of the Secret
s. To use OPA for authorization you would need the authorization webhook mode.
In Andrew's code that you link to, he is using an authorization webhook--not an admission control webhook. That's why some of the data he is using from input
isn't the same as what you see from an admission control webhook. Taking a quick look at his writeup, it seems you need to follow his instructions to Enable Authorization.