I want to setup a Kubernetes cluster where every user can do anything with the following exceptions:
- Deny everything not allowed in "Baseline" Pod Security Standard (PSA)
- No access to the kube-system namespace (disallow creating/updating/deleting pods in kube-system, disallow deletion of kube-system namespace, etc) because in the kube-system namespace pods needs to be running in privileged mode
To achieve this i created a PSA config where i excluded the kube-system namespace. I also assigned the cluster-admin clusterrole with a clusterrolebinding to all users.
I deployed OPA Gatekeeper and created a constraint template like:
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: denyrestrictednamespaceaccess
spec:
crd:
spec:
names:
kind: DenyRestrictedNamespaceAccess
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package DenyNamespace
violation[{"msg": msg}] {
not startswith(input.review.userInfo.username, "system:")
msg := sprintf("you cant use namespace: %v", [input.review.object.metadata.namespace])
}
and then created a constraint like:
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: DenyRestrictedNamespaceAccess
metadata:
name: denyrestrictednamespaceaccess
spec:
match:
namespaces:
- kube-system
- gatekeeper-system //tried also this
This works quite well but one problem remains: A user would have full access to the gatekeeper-system namespace and can just delete the gatekeeper pods or the complete gatekeeper-system namespace which would allow then access to kube-system.
If i include the gatekeeper-system in the denyrestrictednamespaceaccess constraint it does to help because gatekeeper exempt the gatekeeper-system by default.
My question is:
- How can i achieve my goals outlined above?
- Would be ok to start gatekeeper without
--exempt-namespace=gatekeeper-systemflag and include it in the denyrestrictednamespaceaccess constraint?
(I tried also to limit access via RBAC but because of the additive character it appears impossible to reach my goals with pure RBAC)
