In this series of blog posts, we will be looking at deploying OPA gatekeeper as the admission controller for our Kubernetes cluster. We will be focusing specifically at creating gatekeeper policies for RBAC (Role Based access controls) in the Kubernetes cluster.
If you want to know how the Audit logs are sent to EFK, you can read the following article on sending the logs to EFK.
Aim :
Service Accounts: Prohibit Namespaces.
We will be creating a policy that will be limiting the creation of Service accounts to specific namespaces.
template.yaml
apiVersion: templates.gatekeeper.sh/v1beta1 kind: ConstraintTemplate metadata: name: k8sroleauth spec: crd: spec: names: kind: K8sRoleAuth validation: openAPIV3Schema: properties: namespaces: type: array items: type: string targets: - target: admission.k8s.gatekeeper.sh rego: | package k8sroleauth violation[{ "msg": msg}]{ input.review.object.kind == "ServiceAccount" namespace := input.review.object.metadata.namespace allowed_namespace := input.parameters.namespaces[_] not contains(allowed_namespace,namespace) msg := "not allowed" }
Let’s have a look at the REGO policy,
- input.review.object.kind == “ServiceAccount” – Checks if the kind is a ‘ServiceAccount’
- namespace := input.review.object.metadata.namespace – Goes through the metadata array, and saves the mentioned namespace inside a variable called ‘namespace’
- allowed_namespace := input.parameters.namespaces[_] – This will go through the parameters we have in our constraint file, and save the values inside ‘allowed_namespace’ variable.
- not contains(allowed_namespace,namespace) – This will check the provided namespace, against a set of namespaces that are allowed (or not allowed, depending on whether you apply to whitelist or blacklist the namespaces.)
constraint.yaml
apiVersion: constraints.gatekeeper.sh/v1beta1 kind: K8sRoleAuth metadata: name: block-latest-tag spec: match: kinds: - apiGroups: [""] kinds: ["*"] parameters: namespaces: - "kube-system"
We have defined a namespace in the parameter.
RBAC-deny.yaml
apiVersion: v1 kind: ServiceAccount metadata: name: build-robot namespace: kube-system resourceVersion: "272500" uid: 721ab723-13bc-11e5-aec2-42010af0021e

RBAC-allow.yaml
apiVersion: v1 kind: ServiceAccount metadata: name: build-robot namespace: default resourceVersion: "272500" uid: 721ab723-13bc-11e5-aec2-42010af0021e

In this article, we saw how we can restrict the creation of namespaces to specific namespaces. We will be looking at more such RBAC policies in future posts.
Other related articles:
- Restrict RBAC Admins – OPA Gatekeeper RBAC Guardrail (Part 2)
- A Series of Blog Posts on using OPA Policies & Gatekeeper for Kubernetes Security
Practice here:
https://www.katacoda.com/cloudsecops/courses/opagatekeeper-policy/namespace
References:
- https://github.com/open-policy-agent/gatekeeper
- https://github.com/open-policy-agent/gatekeeper-library
Thank you for reading! – Siddarth Tanna and Setu Parimi
Sign up for the blog directly here.
Check out our professional services here.
Feedback is welcome! For professional services, fan mail, hate mail, or whatever else, contact [email protected]
0 Comments