How to manipulate GK policies on the basis of cluster roles?

[smartaquarius10]

Team,

In kubernetes, we can take the benefit of cluster role and role bindings to bifurcate the pod security policies as per the privileges of admin and non-admin users.

But, in Azure kubernetes, if we apply any azure policy for eg. not allowing privilege pods then it will restrict all the users including admins as well.

How to control this restriction in Azure policies because PSP in AKS are deprecated and it is mandatory to use Azure policies now onwards.

Earlier I've asked this query in this repositorybut I have been redirected here.

Can anyone help please.

Thank you

[maxsmythe]

One design that could work is to have a label that signifies "this resource is exempt from these checks" (use match.labelSelector to exclude resources from a constraint via label).

Then you can add a constraint that only allows privileged users to set this label.

This will have a side benefit of allowing you to easily identify which objects have been exempted by admins.

[ritazh]

@smartaquarius10 It’s important to note that PSP is moving from v1 to v2 design, role-based exemption has been removed based on the lessons learned and feedbacks from v1. User info in the request is also transient, not something you can use for audit. Are there other information you can use for exemption, like labels as Max suggested.

[smartaquarius10]

@ritazh, Yes that can help but strange that this role-based things have removed.

@maxsmythe , I haven't tried this exemption thing but I will check this on weekend. Reading though this url but unable to understand much.

But, the main question is how to add constraints. I'm aware of pod topology constrains but nothing else related. Am I missing something here. Are there any other type of constraints available in kubernetes or is it something specific to Azure kubernetes.

Could you please share some url or doc help in understanding about the constraints and adding them for users. Do they work as per RBAC policies because that is the only option deciding privilege and non privilege users

[maxsmythe]

Currently there is no constraint that does anything like this, you would need to write your own by creating a constraint template (which create constraints).

There are templates in the Gatekeeper library that you can look at for examples.

I don't think the project has great docs for writing templates currently, but this document should cover most of the basics:

https://cloud.google.com/anthos-config-management/docs/how-to/write-a-constraint-template

you would need to take advantage of input.review.userInfo in order to make decisions based off the requesting user.

[smartaquarius10]

@maxsmythe , @ritazh , Hey,
Trust you're doing well.

I have tried applying this azure policy for disabling privilege containers. But, unable to understand the procedure to set a key value in label selector with Not In operator.

Could you please help me with syntax to exempt labels in the policy.json. Searched a lot on google but no luck.

Getting this errors:

[maxsmythe]

@ritazh @sozercan this seems to be specific to Azure?

[ritazh]

Apologies for the delay @smartaquarius10! For specific questions regarding Azure policy, can you pls open an issue on the azure-policy repo? Please tag me so I can help follow up.

Let's continue to use this issue to discuss role-based exemption support for Gatekeeper policies.

[smartaquarius10]

@ritazh, Sure rita and thank you so much for helping by commenting on the other question. Applying azure policy the way you've suggested. After that will go through the constraint template. Will come back if stuck somewhere with templates.

@maxsmythe , @ritazh , Just wanted to share one thing that I might get delayed coming back on the confirmation because I'm diagnosed as covid +. I would be grateful if you do not close the issue.

[maxsmythe]

@smartaquarius10 I'm sorry about your diagnosis :/ I hope everything works out.

We'll certainly leave the issue open for a while. If, however, it does wind up getting closed, definitely feel free to re-open if there is more follow-up to be done.

[smartaquarius10]

@maxsmythe , thanks max. I'll confirm asap. Theoretically, I'm aware of the things. I have to setup the AD groups. Then need to permit the guid value of admin group using this tag in constraint template
input.review.userInfo.groups

Something like this already available here

Will try on weekend.

Regards
Tanul

[spennymac]

One design that could work is to have a label that signifies "this resource is exempt from these checks" (use match.labelSelector to exclude resources from a constraint via label).

@maxsmythe I am a little confused here. I think this would allow someone to add the label and they would be able to circumvent the policy. Is the idea that you would enforce this with an external process?

[maxsmythe]

The label would be locked down by a second constraint. The next paragraph in the quoted post:

Then you can add a constraint that only allows privileged users to set this label.

[spennymac]

The label would be locked down by a second constraint. The next paragraph in the quoted post:

Then you can add a constraint that only allows privileged users to set this label.

Ah, I didnt realize the userInfo was passed in. Thank you @maxsmythe!

[stale]

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.