K
Q

Restrictions on selective kubernetes namespaces for non admins

1/3/2020

I have put delete restrictions ( using validation webhook ) for all service accounts on a namespace , including the namespace itself , is there a way, as a cluster admin, I can delete objects from that namsepace?

package kubernetes.admission

deny[msg] {
    namespace := input.request.namespace
    operation := input.request.operation
    namespaces := {"test01"}
    operations := {"CREATE","DELETE","UPDATE"}
    namespaces[namespace]
    operations[operation]

    msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,operation])
}

Or , is there a way to put the cluster admin in exception.

Update:

I figured out the usernames to put in execption but this policy although evaluates correctly in policy checker but not having status: ok in configmap status:

package kubernetes.admission
deny[msg] {
    namespace := input.request.namespace
    operation := input.request.operation
    username := input.request.userInfo.username
    namespaces := {"test01","kube-system"}
    users := {"kubernetes-admin","admin"}
    operations := {"CREATE","DELETE","UPDATE"}
    namespaces[namespace]
    operations[operation]
    not users[username]
    msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
}

Update:

The policy status is Ok after a while.

-- Ijaz Ahmad Khan
kubernetes
open-policy-agent

Similar Questions

Helm debug unknown field
kubelet.service: Unit entered failed state in not ready state node error from kubernetes cluster
Logging with istio
Is having an HTTP service as an external authorization service supported in istio?

2 Answers

1/3/2020

You could delete the object directly from the etcd server. Assuming that as cluster admin you have access to the etcd server.

For example:

$ kubectl get po
NAME                      READY   STATUS    RESTARTS   AGE
curler-755cc7cfff-xdt6m   1/1     Running   0          21h
nginx-6db489d4b7-qvmgn    1/1     Running   0          21h

I want to delete pod nginx-6db489d4b7-qvmgn

$ kubectl get po -n kube-system | grep etcd
etcd-v1-16-master                          1/1     Running   4          10d
$ kubectl exec -it etcd-v1-16-master -n kube-system sh    
$ ETCDCTL_API=3 etcdctl --cert=/etc/kubernetes/pki/etcd/server.crt --key=/etc/kubernetes/pki/etcd/server.key --cacert=/etc/kubernetes/pki/etcd/ca.crt del /registry/pods/default/nginx-6db489d4b7-qvmgn  
1

Now if i check it again:

$ kubectl get po
NAME                      READY   STATUS    RESTARTS   AGE
curler-755cc7cfff-xdt6m   1/1     Running   0          21h
nginx-6db489d4b7-n8p8d    1/1     Running   0          35s
-- suren
Source: StackOverflow
1/3/2020

This policy works , given that the user-names are correct.

package kubernetes.admission
    deny[msg] {
        namespace := input.request.namespace
        operation := input.request.operation
        username := input.request.userInfo.username
        namespaces := {"test01","kube-system"}
        users := {"kubernetes-admin","admin"}
        operations := {"CREATE","DELETE","UPDATE"}
        namespaces[namespace]
        operations[operation]
        not users[username]
        msg := sprintf("Operation not permitted in protected namespace, invalid operation for %q",[namespace,username,operation])
    }
-- Ijaz Ahmad Khan
Source: StackOverflow