As a security measure, I would like to request a feature to restrict users run kubectl exec in pods, users shouldn't be able to login or execute any commands using kubectl exec.
Possible Solution
Gatekeeper validate admission controller provides CONNECT operation, which can be used to create constraints templates which would disallow exec to all pods in a cluster. And since AKS policy extends gatekeeper to apply constraints. By enabling this feature I can add another custom policy which would restrict exec to the pods.
Alternatives available
I have also considered using AKS RBAC, but that would completely deny users from the exec. I would still like to let users have ability to run few commands such as "ls", "cat".
As a security measure, I would like to request a feature to restrict users run
kubectl exec
in pods, users shouldn't be able to login or execute any commands usingkubectl exec
.Possible Solution Gatekeeper validate admission controller provides
CONNECT
operation, which can be used to create constraints templates which would disallow exec to all pods in a cluster. And since AKS policy extends gatekeeper to apply constraints. By enabling this feature I can add another custom policy which would restrict exec to the pods.Alternatives available I have also considered using AKS RBAC, but that would completely deny users from the exec. I would still like to let users have ability to run few commands such as "ls", "cat".
Additional context Here is the example of how it can be implemented in kubernetes environment, https://medium.com/@javier-canizalez/policy-enforcement-in-kubernetes-restricting-kubectl-exec-with-gatekeeper-7e99823465c9