Always collect deny arm of kubernetes_resources (#28275)

Denied `kubernetes_resources` weren't properly loaded when collecting resources for list filtering. This PR collects all deny arms - if the `kubernetes_labels` match the cluster, the access is denied - of Kubernetes resources. Fixes #28262
gravitational · Jun 26, 2023 · af404e3 · af404e3
1 parent 3f852e6
commit af404e3
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 5 deletions.
diff --git a/lib/kube/proxy/pod_rbac_test.go b/lib/kube/proxy/pod_rbac_test.go
@@ -51,6 +51,7 @@ func TestListPodRBAC(t *testing.T) {
 		usernameWithFullAccess      = "full_user"
 		usernameWithNamespaceAccess = "default_user"
 		usernameWithLimitedAccess   = "limited_user"
+		usernameWithDenyRule        = "denied_user"
 		testPodName                 = "test"
 	)
 	// kubeMock is a Kubernetes API mock for the session tests.
@@ -141,6 +142,39 @@ func TestListPodRBAC(t *testing.T) {
 		},
 	)
 
+	// create a user allowed to access all namespaces except the default namespace.
+	// (kubernetes_user and kubernetes_groups specified)
+	userWithDenyRule, _ := testCtx.CreateUserAndRole(
+		testCtx.Context,
+		t,
+		usernameWithDenyRule,
+		RoleSpec{
+			Name:       usernameWithDenyRule,
+			KubeUsers:  roleKubeUsers,
+			KubeGroups: roleKubeGroups,
+			SetupRoleFunc: func(r types.Role) {
+				r.SetKubeResources(types.Allow,
+					[]types.KubernetesResource{
+						{
+							Kind:      types.KindKubePod,
+							Name:      types.Wildcard,
+							Namespace: types.Wildcard,
+						},
+					},
+				)
+				r.SetKubeResources(types.Deny,
+					[]types.KubernetesResource{
+						{
+							Kind:      types.KindKubePod,
+							Name:      types.Wildcard,
+							Namespace: metav1.NamespaceDefault,
+						},
+					},
+				)
+			},
+		},
+	)
+
 	type args struct {
 		user      types.User
 		namespace string
@@ -234,6 +268,26 @@ func TestListPodRBAC(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "list pods in every namespace for user with default namespace deny rule",
+			args: args{
+				user: userWithDenyRule,
+			},
+			want: want{
+				listPodsResult: []string{
+					"dev/nginx-1",
+					"dev/nginx-2",
+				},
+				getTestPodResult: &kubeerrors.StatusError{
+					ErrStatus: metav1.Status{
+						Status:  "Failure",
+						Message: "pods \"test\" is forbidden: User \"denied_user\" cannot get resource \"pods\" in API group \"\" in the namespace \"default\"",
+						Code:    403,
+						Reason:  metav1.StatusReasonForbidden,
+					},
+				},
+			},
+		},
 		{
 			name: "list default namespace pods for user with limited access and a resource access request",
 			args: args{

diff --git a/lib/services/role.go b/lib/services/role.go
@@ -2815,11 +2815,12 @@ func (set RoleSet) GetKubeResources(cluster types.KubeCluster, userTraits wrappe
 	}
 
 	for _, role := range set {
-		matchLabels, _, err := checkRoleLabelsMatch(types.Deny, role, userTraits, cluster, false)
-		if err != nil || !matchLabels {
-			continue
-		}
-
+		// deny rules are not checked for labels because they are greedy. It means that
+		// if there is a deny rule for a cluster, it will deny access to all resources
+		// in that cluster, regardless of kubernetes_resources (i.e. making them irrelevant).
+		// If the goal is to deny access to a specific resource, it should be done by collecting
+		// all kube resources in deny rules and ignoring if the role matches or not
+		// the cluster (i.e. no labels check).
 		denied = append(denied, role.GetKubeResources(types.Deny)...)
 	}
 

diff --git a/lib/services/role_test.go b/lib/services/role_test.go
@@ -6662,6 +6662,7 @@ func TestGetKubeResources(t *testing.T) {
 			},
 			clusterLabels: map[string]string{"env": "staging"},
 			expectAllowed: []types.KubernetesResource{podA, podB},
+			expectDenied:  []types.KubernetesResource{podA},
 		},
 	} {
 		t.Run(tc.desc, func(t *testing.T) {