-
Notifications
You must be signed in to change notification settings - Fork 70
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added rule to identify principals that have OPA Gatekeeper admin priv…
…ileges. (#42) Co-authored-by: Gadi Naor <[email protected]>
- Loading branch information
1 parent
45249fd
commit fb1e18c
Showing
2 changed files
with
47 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -16,6 +16,15 @@ GlobalExclusions: | |
| Expression: | | ||
| has(subject.name) && subject.name.startsWith('system:') | ||
| LastModified: "2021-09-22T15:25:01+03:00" | ||
| - AddedBy: [email protected] | ||
| Comment: "Exclude gatekeeper-system/gatekeeper-admin from analysis" | ||
| Disabled: false | ||
| Expression: | | ||
| has(subject.namespace) && (subject.namespace == "gatekeeper-system") && | ||
| has(subject.name) && (subject.name == "gatekeeper-admin") | ||
| LastModified: "2021-09-22T15:25:01+03:00" | ||
| ValidBefore: 0 | ||
|
|
||
| # Analysis Rules | ||
| Rules: | ||
| - Name: Secret Readers | ||
|
|
@@ -250,4 +259,39 @@ Rules: | |
| ) | ||
| ) | ||
| ) | ||
| Exclusions: [] | ||
| Exclusions: [] | ||
|
|
||
| - Name: Open Policy Agent (OPA) GateKeeper Administration | ||
| Description: Capture principals that have adminsitrative priviliges and can manage OPA GateKeeper shared resources resources | ||
| Severity: HIGH | ||
| Uuid: 9d3d62c2-81a5-439a-bc51-9b74f8124822 | ||
| Recommendation: | | ||
| "Review the policy rules for \'" + (has(subject.namespace) ? subject.namespace +"/" : "") + subject.name + "\' ("+ subject.kind +") by running \'rbac-tool policy-rules -e " + subject.name +"\'.\n" + | ||
| "You can visualize the RBAC policy by running \'rbac-tool viz --include-subjects=" + subject.name +"\'" | ||
| References: | ||
| - https://open-policy-agent.github.io/gatekeeper/website/docs/constrainttemplates | ||
| - https://open-policy-agent.github.io/gatekeeper/website/docs/mutation | ||
|
|
||
| # Analysis expressions are evaluated with array of SubjectPermissions object - see https://github.com/alcideio/rbac-tool/blob/master/pkg/rbac/subject_permissions.go#L11 | ||
| # Expression syntax can be found here: https://github.com/google/cel-spec/blob/master/doc/intro.md | ||
| # In the expression when evaluating rule.resource - use plural form (secrets not secret) | ||
| AnalysisExpr: | | ||
| subjects.filter( | ||
| subject, subject.allowedTo.exists( | ||
| rule, | ||
| (has(rule.verb) && rule.verb in ['create', 'update', 'patch', 'delete', '*']) && | ||
| ( | ||
| has(rule.resource) && rule.resource in ['constrainttemplates', '*'] && | ||
| has(rule.apiGroup) && rule.apiGroup in ['templates.gatekeeper.sh','*'] | ||
| ) || | ||
| ( | ||
| has(rule.resource) && rule.resource in ['assign', 'assignmetadata', '*'] && | ||
| has(rule.apiGroup) && rule.apiGroup in ['mutations.gatekeeper.sh','*'] | ||
| ) || | ||
| ( | ||
| has(rule.resource) && rule.resource in ['configs', '*'] && | ||
| has(rule.apiGroup) && rule.apiGroup in ['config.gatekeeper.sh','*'] | ||
| ) | ||
| ) | ||
| ) | ||
| Exclusions: [] # gatekeeper-system/gatekeeper-admin excluded in global exceptions | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters