forked from awslabs/cedar-access-control-for-k8s
-
Notifications
You must be signed in to change notification settings - Fork 0
/
admission-policy.yaml
138 lines (132 loc) · 4.93 KB
/
admission-policy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
apiVersion: cedar.k8s.aws/v1alpha1
kind: Policy
metadata:
name: combined-policy
spec:
content: |
// Authorization policy
// test-user can do Action::"*" on configmaps in the default namespace
permit (
principal is k8s::User,
action,
resource is k8s::Resource
) when {
principal.name == "test-user" &&
resource has namespace &&
resource.namespace == "default" &&
resource.apiGroup == "" &&
resource.resource == "configmaps"
};
// Admission policy preventing test-user from creating/updating configmaps with name starting with "prod"
forbid (
principal is k8s::User,
action in [k8s::admission::Action::"create", k8s::admission::Action::"update"],
resource is core::v1::ConfigMap
) when {
principal.name == "test-user" &&
resource.metadata.name like "prod*"
};
---
apiVersion: cedar.k8s.aws/v1alpha1
kind: Policy
metadata:
name: self-node-policy
spec:
content: |
// On Kubernetes versions 1.29+ with the `ServiceAccountTokenPodNodeInfo` flag enabled,
// Kubernetes injects a node name into the Service Account token, which gets propagated
// into the user's info extra info map. We transform the map into a set of key/value
// records with key of string and value as a set of strings.
//
// This allows a service account to modify the status of a node only for the node included in the SA token's
// node claim, which practicly translates to "only modify the status of the node a pod is running on"
permit (
principal is k8s::ServiceAccount,
action in [k8s::Action::"get", k8s::Action::"update", k8s::Action::"patch"],
resource is k8s::Resource
) when {
principal.name == "default" &&
principal.namespace == "default" &&
resource.apiGroup == "" &&
resource.resource == "nodes" &&
resource has subresource &&
resource.subresource == "status" &&
resource has name &&
principal.extra.contains({
"key": "authentication.kubernetes.io/node-name",
"values": [resource.name]})
};
// allow get node on for the node a sa's pod is running on
permit (
principal is k8s::ServiceAccount,
action == k8s::Action::"get",
resource is k8s::Resource
) when {
principal.name == "default" &&
principal.namespace == "default" &&
resource.apiGroup == "" &&
resource.resource == "nodes" &&
resource has name &&
principal.extra.contains({
"key": "authentication.kubernetes.io/node-name",
"values": [resource.name]})
};
---
apiVersion: cedar.k8s.aws/v1alpha1
kind: Policy
metadata:
name: label-enforcement-policy
spec:
content: |
// authz policy allowing sample-user to do anything on configmaps in default namespace
permit (
principal is k8s::User,
action in [
k8s::Action::"create",
k8s::Action::"list",
k8s::Action::"watch",
k8s::Action::"update",
k8s::Action::"patch",
k8s::Action::"delete"],
resource is k8s::Resource
) when {
principal.name == "sample-user" &&
resource has namespace &&
resource.namespace == "default" &&
resource.apiGroup == "" &&
resource.resource == "configmaps"
};
// authz policy forbiding users in group "requires-labels" to make list/watches without label selector owner={principal.name}
forbid (
principal is k8s::User in k8s::Group::"requires-labels",
action in [k8s::Action::"list", k8s::Action::"watch"],
resource is k8s::Resource
) unless {
resource has labelSelector &&
resource.labelSelector.containsAny([
{"key": "owner","operator": "=", "values": [principal.name]},
{"key": "owner","operator": "==", "values": [principal.name]},
{"key": "owner","operator": "in", "values": [principal.name]}])
};
// admission policy to forbid resource creation without an owner key
forbid (
principal is k8s::User in k8s::Group::"requires-labels",
action in [k8s::admission::Action::"create", k8s::admission::Action::"update", k8s::admission::Action::"delete"],
resource
) unless {
resource has metadata &&
resource.metadata has labels &&
resource.metadata.labels.contains({"key": "owner", "value": principal.name})
};
// admission policy forbidding users in "requires-labels" group from updating a
// resource that they don't own
forbid (
principal is k8s::User in k8s::Group::"requires-labels",
action == k8s::admission::Action::"update",
resource
) unless {
resource has oldObject &&
resource.oldObject has metadata &&
resource.oldObject.metadata has labels &&
resource.oldObject.metadata.labels.contains({"key": "owner", "value": principal.name})
};