-
Notifications
You must be signed in to change notification settings - Fork 211
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added policy to restrict clusterrole permissions for mutating and validating admission webhooks #1021
base: main
Are you sure you want to change the base?
Conversation
…idating webhoooks.
value: | ||
- mutatingwebhookconfigurations | ||
- validatingwebhookconfigurations | ||
- key: "{{ element.verbs }}" | ||
operator: AnyIn | ||
value: | ||
- create | ||
- update | ||
- patch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You also must account for wildcards here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resources
still does not account for wildcards.
Updated the policy to account for wildcards. Please review. |
Signed-off-by: nsagark <90008930+nsagark@users.noreply.github.com>
DCO is required here. |
Please sign off on your PR. |
Signed-off-by: nsagark <90008930+nsagark@users.noreply.github.com>
Sign off is not complete. |
Converting to draft until all basic requirements are met. |
@nsagark, do you intend to complete this PR or shall we close it? |
@chipzoller I will work on these PR's next week. |
…idating webhoooks.
Related Issue(s)
Description
This is Kyverno equivalent policy for below.
https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py
ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. Validating admission webhooks can read every object admitted to the cluster, while mutating admission webhooks can read and mutate every object admitted to the cluster. As such, ClusterRoles that grant control over admission webhooks are granting near cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster
Checklist