How to deny view/get operation in openshift via open policy?

12/14/2019

We want to disable oc get/describe for secrets to prevent token login

The current policy prevent create, update, delete but not the viewing of secrets

package admission

import data.k8s.matches

# Deny all user for doing secret ops except policyadmin

deny[query] {
    matches[[resource]]

    not "policyadmin" == resource.userInfo.username
    "Secret" == resource.kind.kind

    msg := sprintf("Custom Unauthorized user: %v", [resource.userInfo.username])

    query = {
        "id": "policy-admin-for-secret-only",
        "resource": {
            "kind": kind,
            "namespace": namespace,
            "name": name
        },
        "resolution": {
            "message": msg
        },
    }
}

The data in the resource object is just:

{\"kind\": {\"group\": \"\", \"kind\": \"Secret\", \"version\": \"v1\"}, \"name\": \"s5-token-n6v6q\", \"namespace\": \"demo\", \"operation\": \"DELETE\", \"resource\": {\"group\": \"\", \"resource\": \"secrets\", \"version\": \"v1\"}, \"uid\": \"748cdab2-1c1d-11ea-8b11-080027f8814d\", \"userInfo\": {\"groups\": [\"system:cluster-admins\", \"system:masters\", \"system:authenticated\"], \"username\": \"system:admin\"}

The example in https://github.com/raffaelespazzoli/openshift-opa/blob/master/examples/authorization-webhooks/unreadable_secrets.rego uses the resource.spec object, but I don't think it's available in my input/AdmissionReview object?

I am using

  • minishift 1.24
  • openshift v3.9.0+2e78773-56
  • kubernetes v1.9.1+a0ce1bc657
  • etcd 3.2.16
-- letthefireflieslive
kubernetes
open-policy-agent
openshift
rego

1 Answer

12/17/2019

Admission control in Kubernetes does NOT let you control a get. It only lets you control create, update, delete, and connect. The API docs for the validating webhook and its descendent RuleWithOperations (no handy link) don't make this clear, but the docs introducing API access state it explicitly.

To control get, you need to use authorization. You could use RBAC to restrict who can get any of the Secrets. To use OPA for authorization you would need the authorization webhook mode.

In Andrew's code that you link to, he is using an authorization webhook--not an admission control webhook. That's why some of the data he is using from input isn't the same as what you see from an admission control webhook. Taking a quick look at his writeup, it seems you need to follow his instructions to Enable Authorization.

-- Tim Hinrichs
Source: StackOverflow