Comments (14)
One design that could work is to have a label that signifies "this resource is exempt from these checks" (use match.labelSelector
to exclude resources from a constraint via label).
Then you can add a constraint that only allows privileged users to set this label.
This will have a side benefit of allowing you to easily identify which objects have been exempted by admins.
from gatekeeper-library.
@smartaquarius10 Itβs important to note that PSP is moving from v1 to v2 design, role-based exemption has been removed based on the lessons learned and feedbacks from v1. User info in the request is also transient, not something you can use for audit. Are there other information you can use for exemption, like labels as Max suggested.
from gatekeeper-library.
@ritazh, Yes that can help but strange that this role-based things have removed.
@maxsmythe , I haven't tried this exemption thing but I will check this on weekend. Reading though this url but unable to understand much.
But, the main question is how to add constraints. I'm aware of pod topology constrains but nothing else related. Am I missing something here. Are there any other type of constraints available in kubernetes or is it something specific to Azure kubernetes.
Could you please share some url or doc help in understanding about the constraints and adding them for users. Do they work as per RBAC policies because that is the only option deciding privilege and non privilege users
from gatekeeper-library.
Currently there is no constraint that does anything like this, you would need to write your own by creating a constraint template (which create constraints).
There are templates in the Gatekeeper library that you can look at for examples.
I don't think the project has great docs for writing templates currently, but this document should cover most of the basics:
https://cloud.google.com/anthos-config-management/docs/how-to/write-a-constraint-template
you would need to take advantage of input.review.userInfo
in order to make decisions based off the requesting user.
from gatekeeper-library.
@maxsmythe , @ritazh , Hey,
Trust you're doing well.
I have tried applying this azure policy for disabling privilege containers. But, unable to understand the procedure to set a key value in label selector with Not In operator.
Could you please help me with syntax to exempt labels in the policy.json. Searched a lot on google but no luck.
Getting this errors:
from gatekeeper-library.
@ritazh @sozercan this seems to be specific to Azure?
from gatekeeper-library.
Apologies for the delay @smartaquarius10! For specific questions regarding Azure policy, can you pls open an issue on the azure-policy repo? Please tag me so I can help follow up.
Let's continue to use this issue to discuss role-based exemption support for Gatekeeper policies.
from gatekeeper-library.
@ritazh, Sure rita and thank you so much for helping by commenting on the other question. Applying azure policy the way you've suggested. After that will go through the constraint template. Will come back if stuck somewhere with templates.
@maxsmythe , @ritazh , Just wanted to share one thing that I might get delayed coming back on the confirmation because I'm diagnosed as covid +. I would be grateful if you do not close the issue.
from gatekeeper-library.
@smartaquarius10 I'm sorry about your diagnosis :/ I hope everything works out.
We'll certainly leave the issue open for a while. If, however, it does wind up getting closed, definitely feel free to re-open if there is more follow-up to be done.
from gatekeeper-library.
@maxsmythe , thanks max. I'll confirm asap. Theoretically, I'm aware of the things. I have to setup the AD groups. Then need to permit the guid value of admin group using this tag in constraint template
input.review.userInfo.groups
Something like this already available here
Will try on weekend.
Regards
Tanul
from gatekeeper-library.
One design that could work is to have a label that signifies "this resource is exempt from these checks" (use
match.labelSelector
to exclude resources from a constraint via label).
@maxsmythe I am a little confused here. I think this would allow someone to add the label and they would be able to circumvent the policy. Is the idea that you would enforce this with an external process?
from gatekeeper-library.
The label would be locked down by a second constraint. The next paragraph in the quoted post:
Then you can add a constraint that only allows privileged users to set this label.
from gatekeeper-library.
The label would be locked down by a second constraint. The next paragraph in the quoted post:
Then you can add a constraint that only allows privileged users to set this label.
Ah, I didnt realize the userInfo was passed in. Thank you @maxsmythe!
from gatekeeper-library.
This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.
from gatekeeper-library.
Related Issues (20)
- docs: explicitly call out samples are provided as an example
- add cel-based policies HOT 4
- Match everything in a constraint HOT 2
- Docs exclude kind: AdmissionReview
- Problem with creating a mutation for deployments HOT 4
- replicalimits unit tests do not include checks for Scale resources HOT 4
- Consider validating pod generic ephemerals in K8sStorageClass HOT 2
- Consolidating Kubernetes PSP-related ConstraintTemplates into a Single Template for Streamlined Migration HOT 1
- bump mutate assign api version from alpha to v1
- Website generator appears to only retain the final mutation sample per directory HOT 2
- Any interest in policies/constraints that apply to custom resources? HOT 3
- Workflow Upload artifacts: overwrites the matrixed job logs HOT 1
- k8spsphostnetworkingports exemptImages does not allow hostNetwork HOT 4
- automount-serviceaccount-token ConstraintTemplate does not reflect ServiceAccount settings HOT 1
- Not able to create statefulset without storageclass with policy k8sallowedstorageclas is used HOT 1
- Should apparmor always view unconfined as complaint? HOT 3
- The example of disallowed/allowed ingress resources in the unique ingress host example has incorrect hostnames HOT 7
- Add colon in message for consistency
- Example of pod mutation adding init-container HOT 4
- Example k8scontainerlimits does not throw error for a deployment but does on a plain Pod creation HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper-library.