Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(k8sdisallowanonymous): allow disallowing system:authenticated #579

Merged

Conversation

julianKatz
Copy link
Contributor

@julianKatz julianKatz commented Aug 21, 2024

Previously, the k8sdisallowanonymous would prevent bindings to the
system:anonymous and system:unauthenticated groups.

For Google Kubernetes Engine, the system:authenticated group is a
potential security threat. This was described by Orca Security in this
blog post:

https://orca.security/resources/blog/sys-all-google-kubernetes-engine-risk/

This PR updates the k8sdisallowanonymous to prevent bindings to
system:authenticated if the parameters.disallowAuthenticated toggle is
set to true. This will not break existing customers as the default
boolean value is false, leaving this functionality disabled.

Fixes #561

@julianKatz julianKatz requested a review from a team as a code owner August 21, 2024 00:43
Copy link
Contributor

@apeabody apeabody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

src/general/disallowanonymous/src.rego Outdated Show resolved Hide resolved
src/general/disallowanonymous/src.rego Outdated Show resolved Hide resolved
src/general/disallowanonymous/src.rego Outdated Show resolved Hide resolved
src/general/disallowanonymous/src_test.rego Show resolved Hide resolved
src/general/disallowanonymous/src_test.rego Show resolved Hide resolved
src/general/disallowanonymous/src.rego Outdated Show resolved Hide resolved
src/general/disallowanonymous/constraint.tmpl Show resolved Hide resolved
@julianKatz julianKatz changed the title WIP: Make k8sdisallowanonymous allow disallowing system:authenticated feat: allow preventing system:authenticated in k8sdisallowanonymous Aug 21, 2024
@julianKatz julianKatz changed the title feat: allow preventing system:authenticated in k8sdisallowanonymous feat(k8sdisallowanonymous): allow disallowing system:authenticated Aug 21, 2024
@julianKatz julianKatz force-pushed the disallow-authenticated branch 4 times, most recently from 7809cea to be4b35d Compare August 21, 2024 21:28
Copy link
Contributor

@apeabody apeabody left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution @julianKatz!

Made a few suggestions, and this will still need to be reviewed by another maintainer.

src/general/disallowanonymous/constraint.tmpl Outdated Show resolved Hide resolved
review(subject) = true {
subject.name == "system:anonymous"
message(group) := val {
val := sprintf("%v is not allowed as a subject name in %v %v", [group, input.review.object.kind, input.review.object.metadata.name])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just calling out that by including group we are slightly changing the original behavior. As it's just the message I don't think it a breaking change, but wanted to note that is some cases it will increases the number of violations as they are now group specific.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good eye!

I confirmed with Max that going from 1 to multiple violations is not a breaking change.

My thinking was that before:

  1. Someone with system:anonymous as the subject would get a message saying that Unuthenticated was the problem.

  2. Someone with a binding to both system:anonymous AND system:unauthenticated would get only a single violation. Once they fix that violation, they'd then get another violation for the other binding. This UX is confusing.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, agreed, and makes sense to me!

library/general/disallowanonymous/suite.yaml Outdated Show resolved Hide resolved
src/general/disallowanonymous/src.rego Outdated Show resolved Hide resolved
@apeabody
Copy link
Contributor

FYI: Probably a fresh make generate-all will resolve the CI generate error

@julianKatz julianKatz force-pushed the disallow-authenticated branch 3 times, most recently from c5c3188 to fc229d5 Compare August 21, 2024 22:24
@julianKatz julianKatz requested a review from a team August 21, 2024 22:27
Copy link
Contributor

@maxsmythe maxsmythe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@julianKatz julianKatz requested a review from a team August 21, 2024 22:48
@julianKatz julianKatz force-pushed the disallow-authenticated branch from fc229d5 to c662242 Compare August 26, 2024 21:16
Previously, the k8sdisallowanonymous would prevent bindings to the
system:anonymous and system:unauthenticated groups.

For Google Kubernetes Engine, the system:authenticated group is a
potential security threat.  This was described by Orca Security in this
blog post:

https://orca.security/resources/blog/sys-all-google-kubernetes-engine-risk/

This PR updates the k8sdisallowanonymous to prevent bindings to
`system:authenticated` if the parameters.disallowAuthenticated toggle is
set to true.  This will not break existing customers as the default
boolean value is false, leaving this functionality disabled.

Signed-off-by: juliankatz <[email protected]>
@julianKatz julianKatz force-pushed the disallow-authenticated branch from c662242 to 0025c06 Compare August 27, 2024 14:01
Copy link
Member

@sozercan sozercan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@julianKatz julianKatz merged commit 5153330 into open-policy-agent:master Aug 27, 2024
22 checks passed
@julianKatz julianKatz deleted the disallow-authenticated branch August 27, 2024 17:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Could we include system:authenticated in the set of disallowed subjects in k8sdisallowanonymous template?
4 participants