extend priv'd ns protection to ns itself

Azure · Jul 6, 2023 · 5761127 · 5761127
1 parent 90db317
commit 5761127
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 0 deletions.
diff --git a/...operator/controllers/guardrails/policies/gkconstraints/aro-privileged-namespace-deny.yaml b/...operator/controllers/guardrails/policies/gkconstraints/aro-privileged-namespace-deny.yaml
@@ -14,6 +14,7 @@ spec:
         "ServiceAccount",
         "ReplicationController",
         "ResourceQuota",
+        "Namespace",
         ]
       - apiGroups: ["apps"]
         kinds: ["Deployment", "ReplicaSet", "StatefulSet", "DaemonSet"]

diff --git a/...or/controllers/guardrails/policies/gktemplates-src/aro-deny-privileged-namespace/src.rego b/...or/controllers/guardrails/policies/gktemplates-src/aro-deny-privileged-namespace/src.rego
@@ -5,9 +5,21 @@ import data.lib.common.is_exempted_account
 import data.lib.common.get_username
 
 violation[{"msg": msg}] {
+  is_namespace(input.review)
+  ns := input.review.name
+  is_priv_namespace(ns)
+  not is_exempted_account(input.review)
+  username := get_username(input.review)
+  msg := sprintf("user %v not allowed to operate namespace %v", [username, ns])
+} {
+  not is_namespace(input.review)
   ns := input.review.object.metadata.namespace
   is_priv_namespace(ns)
   not is_exempted_account(input.review)
   username := get_username(input.review)
   msg := sprintf("user %v not allowed to operate in namespace %v", [username, ns])
 }
+
+is_namespace(review) {
+  review.kind.kind == "Namespace"
+}
diff --git a/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml b/pkg/operator/controllers/guardrails/policies/gktemplates/aro-deny-privileged-namespace.yaml
@@ -28,12 +28,24 @@ spec:
         import data.lib.common.get_username
 
         violation[{"msg": msg}] {
+          is_namespace(input.review)
+          ns := input.review.name
+          is_priv_namespace(ns)
+          not is_exempted_account(input.review)
+          username := get_username(input.review)
+          msg := sprintf("user %v not allowed to operate namespace %v", [username, ns])
+        } {
+          not is_namespace(input.review)
           ns := input.review.object.metadata.namespace
           is_priv_namespace(ns)
           not is_exempted_account(input.review)
           username := get_username(input.review)
           msg := sprintf("user %v not allowed to operate in namespace %v", [username, ns])
         }
+
+        is_namespace(review) {
+          review.kind.kind == "Namespace"
+        }
       libs:
         - |
           package lib.common