How to manipulate GK policies on the basis of cluster roles? about gatekeeper-library HOT 14 CLOSED

One design that could work is to have a label that signifies "this resource is exempt from these checks" (use match.labelSelector to exclude resources from a constraint via label).

Then you can add a constraint that only allows privileged users to set this label.

This will have a side benefit of allowing you to easily identify which objects have been exempted by admins.

from gatekeeper-library.

@smartaquarius10 It’s important to note that PSP is moving from v1 to v2 design, role-based exemption has been removed based on the lessons learned and feedbacks from v1. User info in the request is also transient, not something you can use for audit. Are there other information you can use for exemption, like labels as Max suggested.

from gatekeeper-library.

@ritazh, Yes that can help but strange that this role-based things have removed.

@maxsmythe , I haven't tried this exemption thing but I will check this on weekend. Reading though this url but unable to understand much.

But, the main question is how to add constraints. I'm aware of pod topology constrains but nothing else related. Am I missing something here. Are there any other type of constraints available in kubernetes or is it something specific to Azure kubernetes.

Could you please share some url or doc help in understanding about the constraints and adding them for users. Do they work as per RBAC policies because that is the only option deciding privilege and non privilege users

from gatekeeper-library.

Currently there is no constraint that does anything like this, you would need to write your own by creating a constraint template (which create constraints).

There are templates in the Gatekeeper library that you can look at for examples.

I don't think the project has great docs for writing templates currently, but this document should cover most of the basics:

https://cloud.google.com/anthos-config-management/docs/how-to/write-a-constraint-template

you would need to take advantage of input.review.userInfo in order to make decisions based off the requesting user.

from gatekeeper-library.

@maxsmythe , @ritazh , Hey,
Trust you're doing well.

I have tried applying this azure policy for disabling privilege containers. But, unable to understand the procedure to set a key value in label selector with Not In operator.

Could you please help me with syntax to exempt labels in the policy.json. Searched a lot on google but no luck.

Getting this errors:

from gatekeeper-library.

@ritazh @sozercan this seems to be specific to Azure?

from gatekeeper-library.

Apologies for the delay @smartaquarius10! For specific questions regarding Azure policy, can you pls open an issue on the azure-policy repo? Please tag me so I can help follow up.

Let's continue to use this issue to discuss role-based exemption support for Gatekeeper policies.

from gatekeeper-library.

@ritazh, Sure rita and thank you so much for helping by commenting on the other question. Applying azure policy the way you've suggested. After that will go through the constraint template. Will come back if stuck somewhere with templates.

@maxsmythe , @ritazh , Just wanted to share one thing that I might get delayed coming back on the confirmation because I'm diagnosed as covid +. I would be grateful if you do not close the issue.

from gatekeeper-library.

@smartaquarius10 I'm sorry about your diagnosis :/ I hope everything works out.

We'll certainly leave the issue open for a while. If, however, it does wind up getting closed, definitely feel free to re-open if there is more follow-up to be done.

from gatekeeper-library.

@maxsmythe , thanks max. I'll confirm asap. Theoretically, I'm aware of the things. I have to setup the AD groups. Then need to permit the guid value of admin group using this tag in constraint template
input.review.userInfo.groups

Something like this already available here

Will try on weekend.

Regards
Tanul

from gatekeeper-library.

One design that could work is to have a label that signifies "this resource is exempt from these checks" (use match.labelSelector to exclude resources from a constraint via label).

@maxsmythe I am a little confused here. I think this would allow someone to add the label and they would be able to circumvent the policy. Is the idea that you would enforce this with an external process?

from gatekeeper-library.

The label would be locked down by a second constraint. The next paragraph in the quoted post:

Then you can add a constraint that only allows privileged users to set this label.

from gatekeeper-library.

The label would be locked down by a second constraint. The next paragraph in the quoted post:

Then you can add a constraint that only allows privileged users to set this label.

Ah, I didnt realize the userInfo was passed in. Thank you @maxsmythe!

from gatekeeper-library.

This issue/PR has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

from gatekeeper-library.