Restrict Service Account Namespace – OPA Gatekeeper RBAC Guardrail (Part 1)

In this series of blog posts, we will be looking at deploying OPA gatekeeper as the admission controller for our Kubernetes cluster. We will be focusing specifically at creating gatekeeper policies for RBAC (Role Based access controls) in the Kubernetes cluster.

If you want to know how the Audit logs are sent to EFK, you can read the following article on sending the logs to EFK.

Aim :

Service Accounts: Prohibit Namespaces.

We will be creating a policy that will be limiting the creation of Service accounts to specific namespaces.

template.yaml

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sroleauth
spec:
  crd:
    spec:
      names:
        kind: K8sRoleAuth
      validation:
              openAPIV3Schema:
                      properties:
                              namespaces:
                                      type: array
                                      items:
                                              type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
       package k8sroleauth
       violation[{ "msg": msg}]{
         input.review.object.kind == "ServiceAccount"
         namespace := input.review.object.metadata.namespace 
         allowed_namespace := input.parameters.namespaces[_]
         not contains(allowed_namespace,namespace)
         msg := "not allowed" }

Let’s have a look at the REGO policy,

• input.review.object.kind == “ServiceAccount” – Checks if the kind is a ‘ServiceAccount’
• namespace := input.review.object.metadata.namespace – Goes through the metadata array, and saves the mentioned namespace inside a variable called ‘namespace’
• allowed_namespace := input.parameters.namespaces[_] – This will go through the parameters we have in our constraint file, and save the values inside ‘allowed_namespace’ variable.
• not contains(allowed_namespace,namespace) – This will check the provided namespace, against a set of namespaces that are allowed (or not allowed, depending on whether you apply to whitelist or blacklist the namespaces.)

constraint.yaml

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sRoleAuth
metadata:
  name: block-latest-tag
spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["*"]
  parameters:
          namespaces:
                  - "kube-system"    

We have defined a namespace in the parameter.

RBAC-deny.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot
  namespace: kube-system
  resourceVersion: "272500"
  uid: 721ab723-13bc-11e5-aec2-42010af0021e

RBAC-allow.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot
  namespace: default
  resourceVersion: "272500"
  uid: 721ab723-13bc-11e5-aec2-42010af0021e

In this article, we saw how we can restrict the creation of namespaces to specific namespaces. We will be looking at more such RBAC policies in future posts.

Other related articles:

• Restrict RBAC Admins – OPA Gatekeeper RBAC Guardrail (Part 2)
• A Series of Blog Posts on using OPA Policies & Gatekeeper for Kubernetes Security

Practice here:

https://www.katacoda.com/cloudsecops/courses/opagatekeeper-policy/namespace

References:

• https://github.com/open-policy-agent/gatekeeper
• https://github.com/open-policy-agent/gatekeeper-library

Thank you for reading! – Siddarth Tanna and Setu Parimi

Sign up for the blog directly here.

Check out our professional services here.

Feedback is welcome! For professional services, fan mail, hate mail, or whatever else, contact [email protected]