Support constraints on PodExecOptions #1056
Comments
|
Digging into this a bit, specifically WRT looking at validating kubectl exec requests:
ConnectRequest's contents appear to be fairly opaque (lots of strings). I haven't dug deeply enough to see how these strings are formed. |
|
Looks like the Manually configuring Gatekeeper to reject {
"_unstable": {
"namespace": {
"apiVersion": "v1",
"kind": "Namespace",
"metadata": {
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Namespace\",\"metadata\":{\"annotations\":{},\"labels\":{\"owner\":\"me.agilebank.demo\"},\"name\":\"production\"}}\n"
},
"creationTimestamp": "2021-01-13T01:32:16Z",
"labels": {
"owner": "me.agilebank.demo"
},
"managedFields": [
{
"apiVersion": "v1",
"fieldsType": "FieldsV1",
"fieldsV1": {
"f:metadata": {
"f:annotations": {
".": {},
"f:kubectl.kubernetes.io/last-applied-configuration": {}
},
"f:labels": {
".": {},
"f:owner": {}
}
},
"f:status": {
"f:phase": {}
}
},
"manager": "kubectl-client-side-apply",
"operation": "Update",
"time": "2021-01-13T01:32:16Z"
}
],
"name": "production",
"resourceVersion": "834",
"selfLink": "/api/v1/namespaces/production",
"uid": "6149358d-fc9e-44ce-9302-e2bc63ec2e59"
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
}
},
"dryRun": false,
"kind": {
"group": "",
"kind": "PodExecOptions",
"version": "v1"
},
"name": "opa",
"namespace": "production",
"object": {
"apiVersion": "v1",
"command": [
"ls"
],
"container": "opa",
"kind": "PodExecOptions",
"stderr": true,
"stdout": true
},
"oldObject": null,
"operation": "CONNECT",
"options": null,
"requestKind": {
"group": "",
"kind": "PodExecOptions",
"version": "v1"
},
"requestResource": {
"group": "",
"resource": "pods",
"version": "v1"
},
"requestSubResource": "exec",
"resource": {
"group": "",
"resource": "pods",
"version": "v1"
},
"subResource": "exec",
"uid": "f5d8c9d3-eb47-42ab-ab1c-8f47b4c215ff",
"userInfo": {
"groups": [
"system:masters",
"system:authenticated"
],
"username": "kubernetes-admin"
}
}
|
maxsmythe
changed the title
|
Note that I'm missing a step here: for the ValidatingWebhookConfiguration adjustment, we want to validate a |
|
I don't seem to be able to repro getting gatekeeper to detect
|
|
You need to explicitly match on subresources. I think this is
|
|
Thank you! |
|
Thanks to @maxsmythe, I had to specifically call out and that makes it work! Created a gist here. |
|
Hi, @soorena776, your solution works for me as well, thanks for providing a gist! @maxsmythe Is this something that we could add support for in the gatekeeper helm chart? I'm happy to raise a PR for this. |
|
+1 I think this would be a great enhancement! |
|
@HenriWilliams Any luck with the PR? Let us know if you need any help! |
|
You are able to do this in the current helm chart using: validatingWebhookCustomRules:
- apiGroups:
- '*'
apiVersions:
- '*'
operations:
- CREATE
- UPDATE
- CONNECT
resources:
- '*'
- 'pods/exec'
- 'pods/attach'which was added in this PR. I think because of this we can probably close this issue now. |
|
Closed via #1806 |
|
@aryann I have exactly the use case you describe, and I'm a bit new to writing OPA gatekeeper constraints and constraint templates. I'm wondering if you had examples of referencing the PodExecOptions to validate that tty and stdin are false? I'm reading up on rego and looking through all the examples and the library at https://github.com/open-policy-agent/gatekeeper-library/tree/master . If you had a working constraint template, I would encourage you to contribute it to the gatekeeper-library as I doubt I'm the only one who would find it useful and would be grateful not to have to climb that learning curve. |
|
For anyone that happens on this issue in the future. I got this to work in my org and have not yet contributed to the gateway-library, but can easilygive some pointers for others here:
|
With above settings in validatingwebhookconfiguration its still allowing exec option. Information of any other setting which needs to be done would be helpful. |
Describe the solution you'd like
I would like to be able to specify a constraint on a subresource. In particular, I'd like to prevent
kubectl execrequests where either the tty or stdin fields of PodExecOptions is true.I do not believe this is possible with Gatekeeper today.
Anything else you would like to add:
Some context on why this is useful: Kubernetes Audit Logging only logs the initial command used to initiate pods.exec (the command appears as
cmdquery parameters on the subresource URI). This means that any interactive sessions (e.g., through/bin/bashwithkubectl exec -it) only log the initial command but no subsequent commands since the Kube API is no longer involved in the session. This makes completely auditing all interactions with the cluster challenging.One alternative is to use auditd, but that does not work since you no longer have the identity of the actor.
Environment:
kubectl version): N/AThe text was updated successfully, but these errors were encountered: