ClusterRole system:aggregate-to-edit should not allow endpoints permi…

…ssions Signed-off-by: xinhl <[email protected]>
fseldow · Aug 24, 2021 · 50ec429 · 50ec429
1 parent 3f73cca
commit 50ec429
Show file tree

Hide file tree

Showing 7 changed files with 400 additions and 0 deletions.
diff --git a/library/general/block-endpoint-edit-default-role/kustomization.yaml b/library/general/block-endpoint-edit-default-role/kustomization.yaml
@@ -0,0 +1,2 @@
+resources:
+  - template.yaml
diff --git a/...block-endpoint-edit-default-role/samples/block-endpoint-edit-default-role/constraint.yaml b/...block-endpoint-edit-default-role/samples/block-endpoint-edit-default-role/constraint.yaml
@@ -0,0 +1,9 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: K8sBlockEndpointEditDefaultRole
+metadata:
+  name: block-endpoint-edit-default-role
+spec:
+  match:
+    kinds:
+      - apiGroups: ["rbac.authorization.k8s.io"]
+        kinds: ["ClusterRole"]
diff --git a/...-endpoint-edit-default-role/samples/block-endpoint-edit-default-role/example_allowed.yaml b/...-endpoint-edit-default-role/samples/block-endpoint-edit-default-role/example_allowed.yaml
@@ -0,0 +1,138 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  creationTimestamp: null
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: system:aggregate-to-edit
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods/attach
+  - pods/exec
+  - pods/portforward
+  - pods/proxy
+  - secrets
+  - services/proxy
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - impersonate
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/attach
+  - pods/exec
+  - pods/portforward
+  - pods/proxy
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - persistentvolumeclaims
+  - replicationcontrollers
+  - replicationcontrollers/scale
+  - secrets
+  - serviceaccounts
+  - services
+  - services/proxy
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  - deployments
+  - deployments/rollback
+  - deployments/scale
+  - replicasets
+  - replicasets/scale
+  - statefulsets
+  - statefulsets/scale
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  - jobs
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+- apiGroups:
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - deployments/rollback
+  - deployments/scale
+  - ingresses
+  - networkpolicies
+  - replicasets
+  - replicasets/scale
+  - replicationcontrollers/scale
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+- apiGroups:
+  - policy
+  resources:
+  - poddisruptionbudgets
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  - networkpolicies
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
diff --git a/...dpoint-edit-default-role/samples/block-endpoint-edit-default-role/example_disallowed.yaml b/...dpoint-edit-default-role/samples/block-endpoint-edit-default-role/example_disallowed.yaml
@@ -0,0 +1,79 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  creationTimestamp: null
+  labels:
+    kubernetes.io/bootstrapping: rbac-defaults
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: system:aggregate-to-edit
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods/attach
+  - pods/exec
+  - pods/portforward
+  - pods/proxy
+  - secrets
+  - services/proxy
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - impersonate
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/attach
+  - pods/exec
+  - pods/portforward
+  - pods/proxy
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - persistentvolumeclaims
+  - replicationcontrollers
+  - replicationcontrollers/scale
+  - secrets
+  - serviceaccounts
+  - services
+  - services/proxy
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+- apiGroups:
+  - apps
+  resources:
+  - daemonsets
+  - deployments
+  - deployments/rollback
+  - deployments/scale
+  - endpoints
+  - replicasets
+  - replicasets/scale
+  - statefulsets
+  - statefulsets/scale
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
diff --git a/library/general/block-endpoint-edit-default-role/template.yaml b/library/general/block-endpoint-edit-default-role/template.yaml
@@ -0,0 +1,36 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: k8sblockendpointeditdefaultrole
+  annotations:
+    description: "ClusterRole/system:aggregate-to-edit should not allow endpoint edit permissions due to CVE-2021-25740, Endpoint & EndpointSlice permissions allow cross-Namespace forwarding, https://github.com/kubernetes/kubernetes/issues/103675"
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sBlockEndpointEditDefaultRole
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package k8sblockendpointeditdefaultrole
+
+        violation[{"msg": msg}] {
+          input.review.object.metadata.name == "system:aggregate-to-edit"
+          endpointRule(input.review.object.rules[_])
+          msg := "ClusterRole system:aggregate-to-edit should not allow endpoint edit permissions. For k8s version < 1.22, the Cluster Role should be annotated with rbac.authorization.kubernetes.io/autoupdate=false to prevent autoreconciliation back to default permissions for this role."
+        }
+
+        endpointRule(rule) {
+          "endpoints" == rule.resources[_]
+          hasEditVerb(rule.verbs)
+        }
+
+        hasEditVerb(verbs) {
+          "create" == verbs[_]
+        }
+        hasEditVerb(verbs) {
+          "patch" == verbs[_]
+        }
+        hasEditVerb(verbs) {
+          "update" == verbs[_]
+        }
diff --git a/src/general/block-endpoint-edit-role/src.rego b/src/general/block-endpoint-edit-role/src.rego
@@ -0,0 +1,24 @@
+package k8sblockendpointeditdefaultrole
+
+violation[{"msg": msg}] {
+    input.review.object.metadata.name == "system:aggregate-to-edit"
+    endpointRule(input.review.object.rules[_])
+    msg := "ClusterRole system:aggregate-to-edit should not allow endpoint edit permissions. For k8s version < 1.22, the Cluster Role should be annotated with rbac.authorization.kubernetes.io/autoupdate=false to prevent autoreconciliation back to default permissions for this role."
+}
+
+endpointRule(rule) {
+    "endpoints" == rule.resources[_]
+    hasEditVerb(rule.verbs)
+}
+
+hasEditVerb(verbs) {
+    "create" == verbs[_]
+}
+
+hasEditVerb(verbs) {
+    "patch" == verbs[_]
+}
+
+hasEditVerb(verbs) {
+    "update" == verbs[_]
+}