-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added a policy for deny-default-service-account-bindings #1118
base: main
Are you sure you want to change the base?
Changes from 1 commit
6342d43
558ad74
ecc2889
bdf682f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
apiVersion: chainsaw.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
creationTimestamp: null | ||
name: sample-test | ||
spec: | ||
steps: | ||
- name: step-01 | ||
try: | ||
- script: | ||
content: kyverno test . | ||
check: | ||
($error != null): false |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: cli.kyverno.io/v1alpha1 | ||
kind: Test | ||
metadata: | ||
name: kyverno-test.yaml | ||
policies: | ||
- ../deny-default-service-account-bindings.yaml | ||
resources: | ||
- resources.yaml | ||
results: | ||
- kind: RoleBinding | ||
policy: deny-default-service-account-bindings | ||
resources: | ||
- goodpod01 | ||
- goodpod02 | ||
result: pass | ||
rule: deny-default-service-account-bindings | ||
- kind: RoleBinding | ||
policy: deny-default-service-account-bindings | ||
resources: | ||
- badpod01 | ||
- badpod02 | ||
result: fail | ||
rule: deny-default-service-account-bindings |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: goodpod01 | ||
subjects: | ||
- kind: ServiceAccount | ||
name: custom-service-account01 | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: goodpod02 | ||
subjects: | ||
- kind: ServiceAccount | ||
name: custom-service-account02 | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: badpod01 | ||
subjects: | ||
- kind: ServiceAccount | ||
name: default | ||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: badpod02 | ||
subjects: | ||
- kind: ServiceAccount | ||
name: default |
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. File needs to be updated accordingly including with changes to annotations in the policy. |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
name: deny-force-delete | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Name is not accurate here. |
||
version: 1.0.0 | ||
displayName: Deny Force Deletion of Resources | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not accurate. |
||
createdAt: "2024-08-05T10:30:02.000Z" | ||
description: >- | ||
The default service account is automatically mounted into all pods in a namespace unless explicitly overridden. If this account is bound to a Role or ClusterRole that grants extensive permissions, every pod in the namespace using the default service account will inherit these permissions. This setup can lead to unnecessary security risks if a pod is compromised, as an attacker could potentially gain access to other resources within the cluster.For an enhnaced security, using the default service account in RoleBindings is not recommended. | ||
install: |- | ||
```shell | ||
kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/deny-default-service-account-bindings/deny-default-service-account-bindings.yaml | ||
``` | ||
keywords: | ||
- kyverno | ||
- Other | ||
readme: | | ||
Using the default service account in RoleBindings is not allowed. | ||
|
||
Refer to the documentation for more details on Kyverno annotations: https://artifacthub.io/docs/topics/annotations/kyverno/ | ||
annotations: | ||
kyverno/category: "Other" | ||
kyverno/kubernetesVersion: "1.28" | ||
kyverno/subject: "Pod" | ||
digest: ca4094718f70c2bfbfad6051ce357a34c5dbb65512dcc118e0897786626aff37 |
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,34 @@ | ||||||
apiVersion: kyverno.io/v1 | ||||||
kind: ClusterPolicy | ||||||
metadata: | ||||||
name: deny-default-service-account-bindings | ||||||
annotations: | ||||||
policies.kyverno.io/title: Deny binding of default service accounts | ||||||
policies.kyverno.io/category: Other | ||||||
JimBugwadia marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
policies.kyverno.io/subject: Pod | ||||||
JimBugwadia marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
kyverno.io/kyverno-version: 1.11.0 | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please test and certify on the latest Kyverno release. |
||||||
policies.kyverno.io/minversion: 1.10.0 | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Remove |
||||||
kyverno.io/kubernetes-version: "1.26" | ||||||
policies.kyverno.io/description: >- | ||||||
The default service account is automatically mounted into all pods in a namespace unless | ||||||
explicitly overridden. If this account is bound to a Role or ClusterRole that grants extensive | ||||||
permissions, every pod in the namespace using the default service account will inherit these | ||||||
permissions. This setup can lead to unnecessary security risks if a pod is compromised, as an | ||||||
attacker could potentially gain access to other resources within the cluster.For an enhnaced | ||||||
JimBugwadia marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
security, using the default service account in RoleBindings is not recommended. | ||||||
spec: | ||||||
validationFailureAction: enforce | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||
background: false | ||||||
rules: | ||||||
- name: deny-default-service-account-bindings | ||||||
match: | ||||||
resources: | ||||||
kinds: | ||||||
- RoleBinding | ||||||
- ClusterRoleBinding | ||||||
Comment on lines
+24
to
+28
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Rules must use |
||||||
validate: | ||||||
message: "Using the default service account in RoleBindings is not allowed." | ||||||
pattern: | ||||||
subjects: | ||||||
- kind: "ServiceAccount" | ||||||
name: "!default" | ||||||
Comment on lines
+33
to
+34
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I haven't tested this, but my feeling is this may not work in all scenarios because There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Hi @chipzoller, With the change in policy, there's a new issue that the policy is excluding all the resources. Could you please point me to the issue here:
Following is the result:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. With the following policy, we see the goodpods start, but badpods get skipped.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Chainsaw tests must not wrap Kyverno CLI.