search

GoogleCloudPlatform / gke-policy-library

Google Kubernetes Engine Policy Library
https://cloud.google.com/anthos-config-management/docs/concepts/policy-controller
Apache License 2.0
53 stars 49 forks source link

K8sProhibitRoleWildcardAccess Wildcard Role #155

Closed borkodjurkovic-ssc closed 6 months ago

borkodjurkovic-ssc commented 7 months ago

We've been implementing the NIST SP 800-53 K8sProhibitRoleWildcardAccess constraint in our Anthos Autopilot cluster. We found that the policy did not include the configsync.gke.io:root-reconciler in the exemptions.clusterRoles list. This causes the policy to mark the cluster as being not compliant. Below you can see that the cluster role definition uses wildcards for permissions. Should this cluster role be added by default to the exemption list (similar how configsync.gke.io:ns-reconciler is already included in the exemption list)?

rules:
- apiGroups:
  - configsync.gke.io
  resources:
  - rootsyncs
  verbs:
  - get
  - list
  - watch
  - update
  - patch
- apiGroups:
  - configsync.gke.io
  resources:
  - rootsyncs/status
  verbs:
  - get
  - list
  - watch
  - update
  - patch
- apiGroups:
  - kpt.dev
  resources:
  - resourcegroups
  verbs:
  - '*'
- apiGroups:
  - kpt.dev
  resources:
  - resourcegroups/status
  verbs:
  - '*'
apeabody commented 7 months ago

Hi @borkodjurkovic-ssc - Thanks for reaching out! I will recommend our team add configsync.gke.io:root-reconciler in a future release.

apeabody commented 6 months ago

Hi @borkodjurkovic-ssc! - This has been updated: https://github.com/GoogleCloudPlatform/gke-policy-library/blob/main/anthos-bundles/nist-sp-800-53-r5/restrict-role-wildcards.yaml#L49