Closed borkodjurkovic-ssc closed 3 months ago
Hi @borkodjurkovic-ssc - Thanks for reaching out! I will recommend our team add these subjects as allowed in a future release.
Hi @borkodjurkovic-ssc - This has been updated: https://github.com/GoogleCloudPlatform/gke-policy-library/blob/main/anthos-bundles/nist-sp-800-53-r5/restrict-rbac-subjects.yaml#L79
We've been implementing the NIST SP 800-53 K8sRestrictRbacSubjects constraint in our Anthos Autopilot cluster. We found that the policy did not include root and namespace reconcilers in the
allowedSubjects
list. It also did not includecontainer-watcher-pod-reader
(which is found inkube-system
namespace) in theallowedSubjects
list. This causes the policy to make clusters not compliant with the policy.As these seem to be necessary components in Anthos clusters, I am wondering if they should be included by default in the policy? Or perhaps there is a valid reason why they are not there? If so what is the rationale? In this case, is the recommended approach for customers to customize the policy for every Anthos cluster?
We were able to fix the compliance by adding below code to the
allowedSubjects
list in the policy: