diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/aro-deny-machine-config.tmpl b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/aro-deny-machine-config.tmpl index 9738a57e5c7..cb395d258c2 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/aro-deny-machine-config.tmpl +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/aro-deny-machine-config.tmpl @@ -15,3 +15,6 @@ spec: - target: admission.k8s.gatekeeper.sh rego: | {{ file.Read "gktemplates-src/aro-deny-machine-config/src.rego" | strings.Indent 8 | strings.TrimSuffix "\n" }} + libs: + - | +{{ file.Read "gktemplates-src/library/common.rego" | strings.Indent 10 | strings.TrimSuffix "\n" }} diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/src.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/src.rego index a7050912944..03e281bf0d9 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/src.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/src.rego @@ -1,8 +1,14 @@ package arodenymachineconfig import future.keywords.in +import data.lib.common.is_exempted_account violation[{"msg": msg}] { input.review.operation in ["CREATE", "UPDATE", "DELETE"] + + # Check if it is a regular user + not is_exempted_account(input.review) + + # Check if the object name matches the regex for generated machine configs name := input.review.object.metadata.name regex.match("^.+(-master|-worker|-master-.+|-worker-.+|-kubelet|-container-runtime|-aro-.+|-ssh|-generated-.+)$", name) msg := "Modify cluster machine config is not allowed" diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/src_test.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/src_test.rego index 83b30b6c645..0f4baec4f2b 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/src_test.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-machine-config/src_test.rego @@ -52,6 +52,9 @@ fake_machine_config_input_review(name, operation) = review { "metadata": { "name": name } + }, + "userInfo":{ + "username":"testuser" } } } diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/src.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/src.rego index 6de2ba0d245..c1b19e91c6b 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/src.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/src.rego @@ -3,6 +3,7 @@ package arodenymastertolerationtaints import future.keywords.in import future.keywords.contains import data.lib.common.is_priv_namespace +import data.lib.common.is_exempted_account violation[{"msg": msg}] { # Check if the input namespace is a non-privileged namespace @@ -12,6 +13,9 @@ violation[{"msg": msg}] { # Check if the input operation is CREATE or UPDATE input.review.operation in ["CREATE", "UPDATE"] + # Check if it is a regular user + not is_exempted_account(input.review) + # Check if pod object has master toleration taints tolerations := input.review.object.spec.tolerations some toleration in tolerations diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/src_test.rego b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/src_test.rego index e278ee46d6e..109cad65616 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/src_test.rego +++ b/pkg/operator/controllers/guardrails/policies/gktemplates-src/aro-deny-master-toleration-taints/src_test.rego @@ -64,7 +64,9 @@ fake_input_review(namespace, operation, taint_key_one, taint_key_two) = review { } ] } - } - + }, + "userInfo":{ + "username":"testuser" + } } } diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-machine-config.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-machine-config.yaml index 1d8b84e8cbc..42b4b1692e3 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-machine-config.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-machine-config.yaml @@ -16,10 +16,160 @@ spec: rego: | package arodenymachineconfig import future.keywords.in + import data.lib.common.is_exempted_account violation[{"msg": msg}] { input.review.operation in ["CREATE", "UPDATE", "DELETE"] + + # Check if it is a regular user + not is_exempted_account(input.review) + + # Check if the object name matches the regex for generated machine configs name := input.review.object.metadata.name regex.match("^.+(-master|-worker|-master-.+|-worker-.+|-kubelet|-container-runtime|-aro-.+|-ssh|-generated-.+)$", name) msg := "Modify cluster machine config is not allowed" } + libs: + - | + package lib.common + import future.keywords.in + + # shared structures, functions, etc. + + is_exempted_account(review) = true { + has_field(review, "userInfo") + has_field(review.userInfo, "username") + username := get_username(review) + groups := get_user_group(review) + is_exempted_user_or_groups(username, groups) + } { + not has_field(review, "userInfo") + } { + has_field(review, "userInfo") + not has_field(review.userInfo, "username") + } + + get_username(review) = name { + not has_field(review.userInfo, "username") + name = "notfound" + } { + has_field(review.userInfo, "username") + name = review.userInfo.username + print(name) + } + + get_user_group(review) = group { + not review.userInfo + group = [] + } { + not review.userInfo.groups + group = [] + } { + group = review.userInfo.groups + } + + is_exempted_user_or_groups(user, groups) = true { + exempted_user[user] + print("exempted user:", user) + } { + group := [ g | g := groups[_]; (g in cast_set(exempted_groups)) ] + count(group) > 0 + print("exempted group:", group) + } + + has_field(object, field) = true { + object[field] + } + + is_exempted_user(user) = true { + exempted_user[user] + } + + is_priv_namespace(ns) = true { + privileged_ns[ns] + } + + exempted_user = { + "system:kube-controller-manager", + "system:admin" # comment out temporarily for testing in console + } + + exempted_groups = { + # "system:cluster-admins", # dont allow kube:admin + "system:nodes", # eg, "username": "system:node:jeff-test-cluster-pcnp4-master-2" + "system:serviceaccounts", # to allow all system service account? + # "system:serviceaccounts:openshift-monitoring", # monitoring operator + # "system:serviceaccounts:openshift-network-operator", # network operator + # "system:serviceaccounts:openshift-machine-config-operator", # machine-config-operator, however the request provide correct sa name + "system:masters" # system:admin + } + + privileged_ns = { + # Kubernetes specific namespaces + "kube-node-lease", + "kube-public", + "kube-system", + + # ARO specific namespaces + "openshift-azure-logging", + "openshift-azure-operator", + "openshift-managed-upgrade-operator", + "openshift-azure-guardrails", + + # OCP namespaces + "openshift", + "openshift-apiserver", + "openshift-apiserver-operator", + "openshift-authentication-operator", + "openshift-cloud-controller-manager", + "openshift-cloud-controller-manager-operator", + "openshift-cloud-credential-operator", + "openshift-cluster-csi-drivers", + "openshift-cluster-machine-approver", + "openshift-cluster-node-tuning-operator", + "openshift-cluster-samples-operator", + "openshift-cluster-storage-operator", + "openshift-cluster-version", + "openshift-config", + "openshift-config-managed", + "openshift-config-operator", + "openshift-console", + "openshift-console-operator", + "openshift-console-user-settings", + "openshift-controller-manager", + "openshift-controller-manager-operator", + "openshift-dns", + "openshift-dns-operator", + "openshift-etcd", + "openshift-etcd-operator", + "openshift-host-network", + "openshift-image-registry", + "openshift-ingress", + "openshift-ingress-canary", + "openshift-ingress-operator", + "openshift-insights", + "openshift-kni-infra", + "openshift-kube-apiserver", + "openshift-kube-apiserver-operator", + "openshift-kube-controller-manager", + "openshift-kube-controller-manager-operator", + "openshift-kube-scheduler", + "openshift-kube-scheduler-operator", + "openshift-kube-storage-version-migrator", + "openshift-kube-storage-version-migrator-operator", + "openshift-machine-api", + "openshift-machine-config-operator", + "openshift-marketplace", + "openshift-monitoring", + "openshift-multus", + "openshift-network-diagnostics", + "openshift-network-operator", + "openshift-oauth-apiserver", + "openshift-openstack-infra", + "openshift-operators", + "openshift-operator-lifecycle-manager", + "openshift-ovirt-infra", + "openshift-sdn", + "openshift-service-ca", + "openshift-service-ca-operator" + } diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml index 50acae29296..07878e33953 100644 --- a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml +++ b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-master-toleration-taints.yaml @@ -19,6 +19,7 @@ spec: import future.keywords.in import future.keywords.contains import data.lib.common.is_priv_namespace + import data.lib.common.is_exempted_account violation[{"msg": msg}] { # Check if the input namespace is a non-privileged namespace @@ -28,6 +29,9 @@ spec: # Check if the input operation is CREATE or UPDATE input.review.operation in ["CREATE", "UPDATE"] + # Check if it is a regular user + not is_exempted_account(input.review) + # Check if pod object has master toleration taints tolerations := input.review.object.spec.tolerations some toleration in tolerations