search

cruise-automation / k-rail

Kubernetes security tool for policy enforcement
Apache License 2.0
444 stars 55 forks source link

Exemptions and Fuzzy Matching - Possible Bug #94

Closed ossie-git closed 3 years ago

ossie-git commented 3 years ago

I was experimenting with creating exemptions and added the following exemption to values.yaml:

  - resource_name: "abc"
    namespace: default
    username: "kubernetes-admin"
    exempt_policies: ["pod_no_exec"]

and then upgraded the helm chart. After doing so, I was able to exec into a pod named abc. However, I was surprised that this also allowed me to exec into any pod that starts with the string abc. So I could exec into pods named:

and so on.

I think this is a bug and if it is not, I think this should be more clearly stated on the GitHub page. Thanks

Update

Looking at the code, it looks like this is by design because you expect resources to be created by controllers, etc. This is what I ran into when I looked at exception.go:

// Compile returns a CompiledExemption
func (r *RawExemption) Compile() CompiledExemption {
  // if not specified, assume it's the field matches all

  // ensure that ResourceName has a trailing glob so it can match the IDs added by certain resource types
  // ie, Deployment pod name test-pod, ReplicaSet name test-pod-sdf932, PodName test-pod-sdf932-ew92
  if !strings.HasSuffix(r.ResourceName, "*") {
    r.ResourceName = r.ResourceName + "*"
  }

  if r.ClusterName == "" {
    r.ClusterName = "*"
  }
  if r.Namespace == "" {
    r.Namespace = "*"
  }
  if r.Username == "" {
    r.Username = "*"
  }
  if r.Group == "" {
    r.Group = "*"
  }
  if len(r.ExemptPolicies) == 0 {
    r.ExemptPolicies = []string{"*"}
  }

so it might be useful to add something about this in the README.md

dustin-decker commented 3 years ago

Yes, this is the intended behavior. Added note in the readme in https://github.com/cruise-automation/k-rail/pull/96