-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to manipulate GK policies on the basis of cluster roles? #78
Comments
One design that could work is to have a label that signifies "this resource is exempt from these checks" (use Then you can add a constraint that only allows privileged users to set this label. This will have a side benefit of allowing you to easily identify which objects have been exempted by admins. |
@smartaquarius10 It’s important to note that PSP is moving from v1 to v2 design, role-based exemption has been removed based on the lessons learned and feedbacks from v1. User info in the request is also transient, not something you can use for audit. Are there other information you can use for exemption, like labels as Max suggested. |
@ritazh, Yes that can help but strange that this role-based things have removed. @maxsmythe , I haven't tried this exemption thing but I will check this on weekend. Reading though this url but unable to understand much. But, the main question is how to add constraints. I'm aware of pod topology constrains but nothing else related. Am I missing something here. Are there any other type of constraints available in kubernetes or is it something specific to Azure kubernetes. Could you please share some url or doc help in understanding about the constraints and adding them for users. Do they work as per RBAC policies because that is the only option deciding privilege and non privilege users |
Currently there is no constraint that does anything like this, you would need to write your own by creating a constraint template (which create constraints). There are templates in the Gatekeeper library that you can look at for examples. I don't think the project has great docs for writing templates currently, but this document should cover most of the basics: https://cloud.google.com/anthos-config-management/docs/how-to/write-a-constraint-template you would need to take advantage of |
@maxsmythe , @ritazh , Hey, I have tried applying this azure policy for disabling privilege containers. But, unable to understand the procedure to set a key value in label selector with Not In operator. Could you please help me with syntax to exempt labels in the policy.json. Searched a lot on google but no luck. Getting this errors: |
Apologies for the delay @smartaquarius10! For specific questions regarding Azure policy, can you pls open an issue on the azure-policy repo? Please tag me so I can help follow up. Let's continue to use this issue to discuss role-based exemption support for Gatekeeper policies. |
@ritazh, Sure rita and thank you so much for helping by commenting on the other question. Applying azure policy the way you've suggested. After that will go through the constraint template. Will come back if stuck somewhere with templates. @maxsmythe , @ritazh , Just wanted to share one thing that I might get delayed coming back on the confirmation because I'm diagnosed as covid +. I would be grateful if you do not close the issue. |
@smartaquarius10 I'm sorry about your diagnosis :/ I hope everything works out. We'll certainly leave the issue open for a while. If, however, it does wind up getting closed, definitely feel free to re-open if there is more follow-up to be done. |
@maxsmythe , thanks max. I'll confirm asap. Theoretically, I'm aware of the things. I have to setup the AD groups. Then need to permit the guid value of admin group using this tag in constraint template Something like this already available here Will try on weekend. Regards |
@maxsmythe I am a little confused here. I think this would allow someone to add the label and they would be able to circumvent the policy. Is the idea that you would enforce this with an external process? |
The label would be locked down by a second constraint. The next paragraph in the quoted post:
|
Ah, I didnt realize the userInfo was passed in. Thank you @maxsmythe! |
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
Team,
In kubernetes, we can take the benefit of cluster role and role bindings to bifurcate the pod security policies as per the privileges of admin and non-admin users.
But, in Azure kubernetes, if we apply any azure policy for eg. not allowing privilege pods then it will restrict all the users including admins as well.
How to control this restriction in Azure policies because PSP in AKS are deprecated and it is mandatory to use Azure policies now onwards.
Earlier I've asked this query in this repositorybut I have been redirected here.
Can anyone help please.
Thank you
The text was updated successfully, but these errors were encountered: