search

GoogleCloudPlatform / gke-policy-library

Google Kubernetes Engine Policy Library
https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller
Apache License 2.0
51 stars 49 forks source link

K8sRestrictRbacSubjects Allowed subjects #154

Closed borkodjurkovic-ssc closed 3 months ago

borkodjurkovic-ssc commented 4 months ago

We've been implementing the NIST SP 800-53 K8sRestrictRbacSubjects constraint in our Anthos Autopilot cluster. We found that the policy did not include root and namespace reconcilers in the allowedSubjects list. It also did not include container-watcher-pod-reader (which is found in kube-system namespace) in the allowedSubjects list. This causes the policy to make clusters not compliant with the policy.

As these seem to be necessary components in Anthos clusters, I am wondering if they should be included by default in the policy? Or perhaps there is a valid reason why they are not there? If so what is the rationale? In this case, is the recommended approach for customers to customize the policy for every Anthos cluster?

We were able to fix the compliance by adding below code to the allowedSubjects list in the policy: 

      # Root and Namespace Config Sync reconcilers
      - name: (root|ns)-reconciler-.+$
        regexMatch: true
      - name: container-watcher-pod-reader
apeabody commented 4 months ago

Hi @borkodjurkovic-ssc - Thanks for reaching out! I will recommend our team add these subjects as allowed in a future release.

apeabody commented 3 months ago

Hi @borkodjurkovic-ssc - This has been updated: https://github.com/GoogleCloudPlatform/gke-policy-library/blob/main/anthos-bundles/nist-sp-800-53-r5/restrict-rbac-subjects.yaml#L79