How to restrict access for namespaces like "kube-system" in Kubernetes

1/20/2021

We want to provide a cluster for our customers with pre-installed applications and therefore want to give the customer all rights except on the namespaces provided by us and the system namespaces, such as "kube-system", so that they cannot see the sensitive informations in secrets or break anything there. We have already tested with OPA, but unfortunately you can't intercept GET requests there, which means the secrets would still be viewable. It also doesn't work with RBAC because you can't deny access to a particular namespace there.

Is there a way to achieve this?

Thanks and best regards

Vedat

-- Vedat
kubernetes
open-policy-agent
rbac

2 Answers

1/20/2021

You can definitely use OPA to evaluate GET requests, just not through the admission controller (as that ultimately decides what will be persisted in Kubernetes, and GET requests by nature only read). What you'll want to use is a Kubernetes authorization webhook, which you can add to the chain of authorizers consulted for any request. Here's a pretty good blog post on the topic.

Some caveats to take into consideration:

  1. You'll need full control of the cluster in order to configure the API server with custom authorizers. This is currently not possible with many of the managed cloud offerings.
  2. Not supported in popular tools like Gatekeeper, i.e. you'll need to deploy and manage "vanilla" OPA for this.

    1: https://kubernetes.io/docs/reference/access-authn-authz/webhook/

    2: https://sbueringer.github.io/kubernetes/open-policy-agent-authorization-webhook/

-- Devoops
Source: StackOverflow

1/28/2021

I solved the problem by giving the user a ClusterRole that only has permissions on namespaces and a ClusterRole that has permissions on everything. I bound the ClusterRole for the namespace with a ClusterRoleBinding and the other ClusterRole with a RoleBinding. So that the user also has permissions on the namespaces he dynamically creates he needs a RoleBinding on the ClusterRole that is allowed to do everything.

To do this automatically, I use the tool Argo-Events, which triggers a RoleBinding deployment on a namespace creation event. And with OPA I prevent that the user can change or delete namespaces.

-- Vedat
Source: StackOverflow