Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable restrictions on tenant namespaces labels #200

Closed
GlassOfWhiskey opened this issue Feb 15, 2021 · 1 comment · Fixed by #211
Closed

Enable restrictions on tenant namespaces labels #200

GlassOfWhiskey opened this issue Feb 15, 2021 · 1 comment · Fixed by #211
Assignees
@prometherion
Labels
bug Something isn't working medium-priority Feature Request with medium-priority v0.0.5

Comments

@GlassOfWhiskey
Copy link
Contributor

As of today (Kubernetes 1.20.x) NetworkPolicy resources can only address namespaces by their labels, not by their names. But if tenant admins can assign arbitrary labels to their namespaces, NetworkPolicy resources can easily be bypassed.

A common use case when it is necessary to allow ingress traffic from a different namespace is when exposing an IngressController resource to tenant users. Supposing to use Contour, we have a projectcontour namespace that must be able to forward packets to a backend service located in a tenant-related namespace tenant-ns.

Wanting to allow this kind of communication, a cluster admin must create a tenant with a networkPolicy of this kind:

ingress:
  from:
    - podSelector:
        matchLabels:
          app: envoy
      namespaceSelector:
        matchLabels:
          name: projectcontour
      ...
podSelector: {}

Now suppose to have another tenant called malicioustenant. If the tenant admin creates a namespace

apiVersion: v1
kind: Namespace
metadata:
  labels:
    name: projectcontour
  name: malicioustenant-ns

then traffic from the malicioustenant-ns is not filtered by the previous NetworkPolicy.

It is true that this flaw can be removed by introducing ad-hoc policies, e.g. using the OPA Gatekeeper, but the frequent nature of this use case (every cluster equipped with an IngressController needs this feature) makes it convenient to allows Capsule users to directly manage this aspect in Capsule.

Commonly, the protected labels are common to the entire cluster and not tenant-related. Therefore, the best solution could probably be to add something like a protectedNamespaceLabelsList or protectedNamespaceLabelsRegex configurable option in the Helm chart, as has been done for the namespace names with the protectedNamespaceRegex option.
@GlassOfWhiskey GlassOfWhiskey added the blocked-needs-validation Issue need triage and validation label Feb 15, 2021
@prometherion prometherion self-assigned this Mar 1, 2021
@prometherion prometherion added bug Something isn't working medium-priority Feature Request with medium-priority and removed blocked-needs-validation Issue need triage and validation labels Mar 1, 2021
@prometherion
Copy link
Member

Thanks for the feedback, I'm marking this as a bug since it could lead to a big attack surface especially considering how network segregation through NetworkPolicy resources is mandatory in multi-tenant contexts.

@prometherion prometherion mentioned this issue Mar 3, 2021
Merged
@stg-0 stg-0 mentioned this issue Mar 24, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@prometherion prometherion

Labels
bug Something isn't working medium-priority Feature Request with medium-priority v0.0.5
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Namespace metadata are just controlled by the Tenant manifest projectcapsule/capsule
2 participants
@prometherion @GlassOfWhiskey