From 1a4b516e2fc461624d79c4e73f2f145e6840b393 Mon Sep 17 00:00:00 2001 From: gadinaor-r7 <78914287+gadinaor-r7@users.noreply.github.com> Date: Sun, 3 Jul 2022 17:23:07 +0300 Subject: [PATCH] Add analysis rule for Gateway API resources (#54) * Add analysis rule for Gateway API resources --- pkg/analysis/default-rules.yaml | 26 ++++++++++++ testdata/whocan/gatewat-api-operator.yaml | 48 +++++++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 testdata/whocan/gatewat-api-operator.yaml diff --git a/pkg/analysis/default-rules.yaml b/pkg/analysis/default-rules.yaml index 898dd88..9abe7e2 100644 --- a/pkg/analysis/default-rules.yaml +++ b/pkg/analysis/default-rules.yaml @@ -207,6 +207,32 @@ Rules: ) Exclusions: [] + - Name: Networking - Manipulate Gateway API Resources + Description: | + Capture principals that can manipulate shared cluster networking services such as + Gateway Classes, Gateways, HTTPRoutes, TLSRoutes, etc,. + Severity: HIGH + Uuid: 337c205f-7479-4a31-9057-03c6c8d2f80e + Recommendation: | + "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" + + "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'" + References: + - https://gateway-api.sigs.k8s.io/ + + + # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11 + # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md + # In the expression when evaluating rule.resource - use plural form (secrets not secret) + AnalysisExpr: | + subjects.filter( + subject, has(subject.allowedTo) && subject.allowedTo.exists( + rule, + (has(rule.verb) && rule.verb in ['create', 'delete', 'update', 'patch', '*']) && + (has(rule.resource) && rule.resource in ['gatewayclasses', 'gateways', 'httproutes', 'tcproutes', 'tlsroutes', 'udproutes', '*']) && + (has(rule.apiGroup) && rule.apiGroup in ['gateway.networking.k8s.io', '*']) ) + ) + Exclusions: [] + - Name: Installing or Modifying Admission Controllers Description: Capture principals that can install/update Kubernetes admission controllers of any kind Severity: CRITICAL diff --git a/testdata/whocan/gatewat-api-operator.yaml b/testdata/whocan/gatewat-api-operator.yaml new file mode 100644 index 0000000..00a321d --- /dev/null +++ b/testdata/whocan/gatewat-api-operator.yaml @@ -0,0 +1,48 @@ +# +# Install: +# kubectl apply -f testdata/whocan/gatewat-api-operator.yaml +# +# Run: +# bin/rbac-tool who-can get gateways | grep gateway-network-operator +# +# Expect: +# +# ServiceAccount | gateway-network-operator-sa | test +# User | gateway-network-operator-user | +# +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gateway-network-operator-role +rules: + - apiGroups: ["gateway.networking.k8s.io"] + resources: ["*"] + verbs: ["create", "update", "delete", "patch"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +# This role binding allows "jane" to read pods in the "default" namespace. +# You need to already have a Role named "pod-reader" in that namespace. +kind: RoleBinding +metadata: + name: gateway-network-operator + namespace: test +subjects: + # You can specify more than one "subject" + - kind: User + name: gateway-network-operator-user # "name" is case sensitive + apiGroup: rbac.authorization.k8s.io # You can specify more than one "subject" + - kind: ServiceAccount + name: gateway-network-operator-sa # "name" is case sensitive + namespace: test +roleRef: + # "roleRef" specifies the binding to a Role / ClusterRole + kind: ClusterRole #this must be Role or ClusterRole + name: gateway-network-operator-role # this must match the name of the Role or ClusterRole you wish to bind to + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gateway-network-operator-sa + namespace: test \ No newline at end of file