-
Story
-
Resolution: Done
-
Critical
-
None
-
None
-
None
-
Product / Portfolio Work
-
False
-
-
False
-
None
-
None
-
None
-
CORENET Sprint 271
https://github.com/giofontana/webhook-prevent-delete-denyall
Work with giofontana
Goal is ensure:
- anyone who is a nonadmin can't delete network policies deny-all types
This is a workaround since ANP on UDNs isn't ready yet.
OR instead of the webhook we could do a:
VAP: https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/
Example (not tested just idea):
apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicy metadata: name: fine-grained-network-policy-protection spec: failurePolicy: Fail matchConstraints: resourceRules: - apiGroups: ["networking.k8s.io"] apiVersions: ["v1"] operations: ["DELETE"] resources: ["networkpolicies"] paramKind: apiVersion: v1 kind: ConfigMap validations: - expression: >- # Allow if user is in admin groups (has(params.data.adminGroups) && params.data.adminGroups.split(',').exists(g, request.userInfo.groups.contains(g))) || # Allow if user is in exempt users list (has(params.data.adminUsers) && params.data.adminUsers.split(',').exists(u, request.userInfo.username == u)) || # Allow if resource is not protected !( # Check if the NetworkPolicy has protected labels (has(params.data.protectedLabels) && params.data.protectedLabels.split(',').exists(labelPair, let parts = labelPair.split('='); has(object.metadata.labels) && has(object.metadata.labels[parts[0]]) && object.metadata.labels[parts[0]] == parts[1] )) || # Check if the NetworkPolicy name matches protected patterns (has(params.data.protectedNamePatterns) && params.data.protectedNamePatterns.split(',').exists(pattern, object.metadata.name.matches(pattern) )) || # Check if the NetworkPolicy is in protected namespaces (has(params.data.protectedNamespaces) && params.data.protectedNamespaces.split(',').exists(ns, object.metadata.namespace == ns )) ) message: "This NetworkPolicy is protected from deletion. Only admins can delete protected NetworkPolicies." --- apiVersion: admissionregistration.k8s.io/v1alpha1 kind: ValidatingAdmissionPolicyBinding metadata: name: fine-grained-network-policy-protection-binding spec: policyName: fine-grained-network-policy-protection paramRef: name: network-policy-protection-config namespace: kube-system validationActions: ["Deny"] matchResources: namespaceSelector: {} objectSelector: {} --- apiVersion: v1 kind: ConfigMap metadata: name: network-policy-protection-config namespace: kube-system data: # Define which users/groups are admins who can delete protected policies adminGroups: "system:masters,cluster-admin,network-admin" adminUsers: "admin@example.com,security-officer@example.com" # Define which network policies are protected # Protect policies with specific labels protectedLabels: "protection=high,critical=true,compliance=required" # Protect policies matching name patterns (regex) protectedNamePatterns: "baseline-.*,pci-compliant-.*,.*-critical" # Protect all policies in these namespaces protectedNamespaces: "production,payment-processing,security-controls"
