Added a policy for deny-default-service-account-bindings #1118
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: fast-n-curious <[email protected]>
chipzoller
suggested changes
Aug 9, 2024
Comment on lines
+24
to
+28
| match: | ||
| resources: | ||
| kinds: | ||
| - RoleBinding | ||
| - ClusterRoleBinding |
There was a problem hiding this comment.
Rules must use any or all under the match and exclude blocks to be conformant to the current schema.
| attacker could potentially gain access to other resources within the cluster.For an enhnaced | ||
| security, using the default service account in RoleBindings is not recommended. | ||
| spec: | ||
| validationFailureAction: enforce |
There was a problem hiding this comment.
Suggested change
| validationFailureAction: enforce | |
| validationFailureAction: Audit |
Comment on lines
+33
to
+34
| - kind: "ServiceAccount" | ||
| name: "!default" |
There was a problem hiding this comment.
I haven't tested this, but my feeling is this may not work in all scenarios because subjects[] is an array of objects. If it isn't the first one in the list, it may bypass the policy. I suggest testing on your own to confirm. If confirmed, this would be better written as a deny rule.
There was a problem hiding this comment.
Hi @chipzoller,
With the change in policy, there's a new issue that the policy is excluding all the resources. Could you please point me to the issue here:
validate:
message: "Using the default service account in RoleBindings is not allowed."
foreach:
- list: "request.object.spec.subject[]"
deny:
conditions:
all:
- key: "{{ element.kind }}"
operator: Equals
value: "ServiceAccount"
- key: "{{ element.name }}"
operator: Equals
value: "default"
Following is the result:
krishna@Krishnas-MacBook-Pro .tests % kyverno test .
Loading test ( kyverno-test.yaml ) ...
Loading values/variables ...
Loading policies ...
Loading resources ...
Loading exceptions ...
Applying 1 policy to 4 resources ...
Checking results ...
│────│───────────────────────────────────────│───────────────────────────────────────│───────────────────────│────────│──────────│
│ ID │ POLICY │ RULE │ RESOURCE │ RESULT │ REASON │
│────│───────────────────────────────────────│───────────────────────────────────────│───────────────────────│────────│──────────│
│ 1 │ deny-default-service-account-bindings │ deny-default-service-account-bindings │ RoleBinding/goodpod01 │ Pass │ Excluded │
│ 2 │ deny-default-service-account-bindings │ deny-default-service-account-bindings │ RoleBinding/goodpod02 │ Pass │ Excluded │
│ 3 │ deny-default-service-account-bindings │ deny-default-service-account-bindings │ RoleBinding/badpod01 │ Pass │ Excluded │
│ 4 │ deny-default-service-account-bindings │ deny-default-service-account-bindings │ RoleBinding/badpod02 │ Pass │ Excluded │
│────│───────────────────────────────────────│───────────────────────────────────────│───────────────────────│────────│──────────│
Test Summary: 4 tests passed and 0 tests failed
There was a problem hiding this comment.
With the following policy, we see the goodpods start, but badpods get skipped.
validate:
message: "Using the default service account in RoleBindings is not allowed."
deny:
conditions:
all:
- key: "{{request.object.subject[].kind}}"
operator: Equals
value: "ServiceAccount"
- key: "{{request.object.subject[].name}}"
operator: Equals
value: "default"
krishna@Krishnas-MacBook-Pro .kyverno-test % kyverno test .
Loading test ( kyverno-test.yaml ) ...
Loading values/variables ...
Loading policies ...
Loading resources ...
Loading exceptions ...
Applying 1 policy to 4 resources ...
Checking results ...
│────│───────────────────────────────│───────────────────────────────│───────────────│────────│─────────────────────│
│ ID │ POLICY │ RULE │ RESOURCE │ RESULT │ REASON │
│────│───────────────────────────────│───────────────────────────────│───────────────│────────│─────────────────────│
│ 1 │ deny-default-service-accounts │ deny-default-service-accounts │ Pod/goodpod01 │ Pass │ Ok │
│ 2 │ deny-default-service-accounts │ deny-default-service-accounts │ Pod/goodpod02 │ Pass │ Ok │
│ 3 │ deny-default-service-accounts │ deny-default-service-accounts │ Pod/badpod01 │ Pass │ Want fail, got skip │
│ 4 │ deny-default-service-accounts │ deny-default-service-accounts │ Pod/badpod02 │ Pass │ Want fail, got skip │
│────│───────────────────────────────│───────────────────────────────│───────────────│────────│─────────────────────│
| - name: step-01 | ||
| try: | ||
| - script: | ||
| content: kyverno test . |
There was a problem hiding this comment.
Chainsaw tests must not wrap Kyverno CLI.
| policies.kyverno.io/category: Other | ||
| policies.kyverno.io/subject: Pod | ||
| kyverno.io/kyverno-version: 1.11.0 | ||
| policies.kyverno.io/minversion: 1.10.0 |
other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml
Outdated
Show resolved
Hide resolved
other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml
Outdated
Show resolved
Hide resolved
| policies.kyverno.io/title: Deny binding of default service accounts | ||
| policies.kyverno.io/category: Other | ||
| policies.kyverno.io/subject: Pod | ||
| kyverno.io/kyverno-version: 1.11.0 |
There was a problem hiding this comment.
Please test and certify on the latest Kyverno release.
other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml
Outdated
Show resolved
Hide resolved
chipzoller
suggested changes
Aug 9, 2024
| @@ -0,0 +1,22 @@ | |||
| name: deny-force-delete | |||
There was a problem hiding this comment.
Name is not accurate here.
| @@ -0,0 +1,22 @@ | |||
| name: deny-force-delete | |||
| version: 1.0.0 | |||
| displayName: Deny Force Deletion of Resources | |||
There was a problem hiding this comment.
File needs to be updated accordingly including with changes to annotations in the policy.
…ce-account-bindings.yaml Co-authored-by: Chip Zoller <[email protected]> Signed-off-by: Jim Bugwadia <[email protected]>
…ce-account-bindings.yaml Co-authored-by: Chip Zoller <[email protected]> Signed-off-by: Jim Bugwadia <[email protected]>
…ce-account-bindings.yaml Co-authored-by: Chip Zoller <[email protected]> Signed-off-by: Jim Bugwadia <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The default service account is automatically mounted into all pods in a namespace unless explicitly overridden. If this account is bound to a Role or ClusterRole that grants extensive permissions, every pod in the namespace using the default service account will inherit these permissions. This setup can lead to unnecessary security risks if a pod is compromised, as an attacker could potentially gain access to other resources within the cluster.For an enhnaced security, using the default service account in RoleBindings is not recommended.
Checklist