Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added policy to restrict clusterrole permissions for mutating and validating admission webhooks #1021

Draft
wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

Added policy to restrict clusterrole permissions for mutating and validating admission webhooks #1021

wants to merge 4 commits into from

Conversation

nsagark
Copy link

@nsagark nsagark commented May 19, 2024

…idating webhoooks.

Related Issue(s)

Description

This is Kyverno equivalent policy for below.
https://github.com/bridgecrewio/checkov/blob/main/checkov/kubernetes/checks/resource/k8s/RbacControlWebhooks.py

ClusterRoles that grant write permissions over admission webhook should be minimized to reduce powerful identities in the cluster. Validating admission webhooks can read every object admitted to the cluster, while mutating admission webhooks can read and mutate every object admitted to the cluster. As such, ClusterRoles that grant control over admission webhooks are granting near cluster admin privileges. Minimize such ClusterRoles to limit the number of powerful credentials that if compromised could take over the entire cluster

Checklist

  • I have read the policy contribution guidelines.
  • I have added test manifests and resources covering both positive and negative tests that prove this policy works as intended.
  • I have added the artifacthub-pkg.yml file and have verified it is complete and correct.

chipzoller
chipzoller reviewed May 19, 2024
View reviewed changes
...lidating-admission-webhooks/restrict-clusterrole-mutating-validating-admission-webhooks.yaml
Comment on lines +35 to +43
value:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
- key: "{{ element.verbs }}"
operator: AnyIn
value:
- create
- update
- patch
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You also must account for wildcards here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

resources still does not account for wildcards.

@nsagark
Copy link
Author

nsagark commented May 19, 2024

Updated the policy to account for wildcards. Please review.

@nsagark
Update restrict-clusterrole-mutating-validating-admission-webhooks.yaml
454383d 
Signed-off-by: nsagark <90008930+nsagark@users.noreply.github.com>
@chipzoller
Copy link
Member

DCO is required here.

@chipzoller
Copy link
Member

Please sign off on your PR.

@nsagark
Signed-off-by: Sagar Kundral <sagar@nirmata.com>
d9dd7dd 
Signed-off-by: nsagark <90008930+nsagark@users.noreply.github.com>
@chipzoller
Copy link
Member

Sign off is not complete.

@chipzoller
Copy link
Member

Converting to draft until all basic requirements are met.

@chipzoller chipzoller marked this pull request as draft May 31, 2024 23:46
@chipzoller
Copy link
Member

@nsagark, do you intend to complete this PR or shall we close it?

@nsagark
Copy link
Author

nsagark commented Jun 14, 2024

@chipzoller I will work on these PR's next week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chipzoller chipzoller chipzoller left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nsagark @chipzoller