search

elastisys / compliantkubernetes-apps

Elastisys Compliant Kubernetes is an open source, Certified Kubernetes distribution designed according to the ISO27001 controls: providing you with security tooling and observability from day one.
https://elastisys.io/compliantkubernetes/
Apache License 2.0
46 stars 7 forks source link

OPA to protect key components/namespaces against non-operators #457

Open llarsson opened 3 years ago

llarsson commented 3 years ago

Is your feature request related to a problem? Please describe.

Customers may request from us that we install an automated system such as a CI/CD solution which would need to be allowed cluster-wide access. For instance, to create namespaces for applications that it needs to deploy. However, we don't want to give full God mode permissions just because of that -- that would be an instability problem for the platform, and our ability to offer a managed service with an SLA. And in particular, we don't want to give permissions into, e.g., kube-system or other key components or namespaces, because deploying there could be a security issue.

Describe the solution you'd like

I would like us to use OPA to validate requests such that if a request is made to modify components or namespaces that are, e.g., labelled "operator", you have to have sufficient permissions.

Describe alternatives you've considered

RBAC is not sufficient in itself, but people have been creative with other solutions. See for instance this thread.

Additional context

N/A

Definition of done:

ArgoCD can be installed in a cluster-wide manner with its typical God mode permissions, and yet, the platform is secure and protected against users asking Argo to overwrite stuff in e.g. kube-system.

tordsson commented 3 years ago

If the namespace-limited solution: https://github.com/elastisys/compliantkubernetes-apps/issues/461 sufficient, we will not implement this.