From de9e6955b7bbe25ccc6765d47933ab6f7d161880 Mon Sep 17 00:00:00 2001 From: Michael Kotelnikov <36506417+michaelkotelnikov@users.noreply.github.com> Date: Thu, 28 Oct 2021 14:50:30 +0300 Subject: [PATCH] Fix disallow anonymous users policy (#133) * Added empty-dir policy for RHACM * Added fix to anonymous policy --- open-policy-agent/README.md | 2 +- .../disallow-anonymous-users/README.md | 4 ++-- .../disallow-anonymous-users/constraint.yaml | 4 +++- .../disallow-anonymous-users/template.yaml | 7 ++----- .../gatekeeper-disallow-anonymous-auth/README.md | 4 ++-- .../gatekeeper-disallow-anonymous-auth.yaml | 8 ++++---- 6 files changed, 14 insertions(+), 15 deletions(-) diff --git a/open-policy-agent/README.md b/open-policy-agent/README.md index 34a5086..04d3f5f 100644 --- a/open-policy-agent/README.md +++ b/open-policy-agent/README.md @@ -21,7 +21,7 @@ Policy | Description | Prerequisites [delete-kubeadmin](./authentication-user-management/delete-kubeadmin) | Validates the removal of the kubeadmin temporary user | [shorten-tokens](./authentication-user-management/shorten-tokens) | Validate that tokens are shorter than the defined lifespan period | [oauth-secured-identity-providers-only](./authentication-user-management/oauth-secured-identity-providers-only) | Ensures that only secured identityProviders are allowed in the cluster | -[disallow-anonymous-users](./authentication/disallow-anonymous-users) | Ensures there are no anonymous users associated with any ClusterRole | +[disallow-anonymous-users](./authentication/disallow-anonymous-users) | Ensures there are no anonymous users associated with any ClusterRole / Role | ### Authorization Policy | Description | Prerequisites diff --git a/open-policy-agent/authentication-user-management/disallow-anonymous-users/README.md b/open-policy-agent/authentication-user-management/disallow-anonymous-users/README.md index a5e0ee5..0af6a9d 100644 --- a/open-policy-agent/authentication-user-management/disallow-anonymous-users/README.md +++ b/open-policy-agent/authentication-user-management/disallow-anonymous-users/README.md @@ -1,8 +1,8 @@ # Disallow Anonymous Authentication -The policy disallows associating the `system:anonymous` User and `system:unauthenticated` Group with any ClusterRole in the cluster. +The policy disallows associating the `system:anonymous` User and `system:unauthenticated` Group with any ClusterRole / Role in the cluster. -Associating unauthenticated users with ClusterRoles in the cluster may open a doorway for potential attacks. The unauthenticated users are not provided via an authorized identity provider, thereby, not secure. +Associating unauthenticated users with ClusterRoles / Roles in the cluster may open a doorway for potential attacks. The unauthenticated users are not provided via an authorized identity provider, thereby, not secure. `This policy has been tested on openshift cluster & oc client version 4.8.4` diff --git a/open-policy-agent/authentication-user-management/disallow-anonymous-users/constraint.yaml b/open-policy-agent/authentication-user-management/disallow-anonymous-users/constraint.yaml index ba1e308..168cbf5 100644 --- a/open-policy-agent/authentication-user-management/disallow-anonymous-users/constraint.yaml +++ b/open-policy-agent/authentication-user-management/disallow-anonymous-users/constraint.yaml @@ -7,4 +7,6 @@ spec: match: kinds: - apiGroups: ["rbac.authorization.k8s.io"] - kinds: ["ClusterRoleBinding"] \ No newline at end of file + kinds: ["ClusterRoleBinding"] + - apiGroups: ["rbac.authorization.k8s.io"] + kinds: ["RoleBinding"] \ No newline at end of file diff --git a/open-policy-agent/authentication-user-management/disallow-anonymous-users/template.yaml b/open-policy-agent/authentication-user-management/disallow-anonymous-users/template.yaml index ddf0d27..e9e1c41 100644 --- a/open-policy-agent/authentication-user-management/disallow-anonymous-users/template.yaml +++ b/open-policy-agent/authentication-user-management/disallow-anonymous-users/template.yaml @@ -14,15 +14,12 @@ spec: rego: | package k8sdisallowanonymous violation[{"msg": msg}] { - input.review.object.kind == "ClusterRoleBinding" review(input.review.object.subjects[_]) - msg := sprintf("Unauthenticated user is not allowed in ClusterRoleBinding %v ", [input.review.object.metadata.name]) + msg := sprintf("Unauthenticated user reference is not allowed in %v %v ", [input.review.object.kind, input.review.object.metadata.name]) } - review(subject) = true { subject.name == "system:unauthenticated" } - review(subject) = true { subject.name == "system:anonymous" - } \ No newline at end of file + } \ No newline at end of file diff --git a/redhat-acm/authentication-user-management/gatekeeper-disallow-anonymous-auth/README.md b/redhat-acm/authentication-user-management/gatekeeper-disallow-anonymous-auth/README.md index d64347a..8397e4d 100644 --- a/redhat-acm/authentication-user-management/gatekeeper-disallow-anonymous-auth/README.md +++ b/redhat-acm/authentication-user-management/gatekeeper-disallow-anonymous-auth/README.md @@ -1,7 +1,7 @@ # Disallow Anonymous Authentication -The policy disallows associating the `system:anonymous` User and `system:unauthenticated` Group with any ClusterRole in the cluster. +The policy disallows associating the `system:anonymous` User and `system:unauthenticated` Group with any ClusterRole / Role in the cluster. -Associating unauthenticated users with ClusterRoles in the cluster may open a doorway for potential attacks. The unauthenticated users are not provided via an authorized identity provider, thereby, not secure. +Associating unauthenticated users with ClusterRoles / Roles in the cluster may open a doorway for potential attacks. The unauthenticated users are not provided via an authorized identity provider, thereby, not secure. The policy uses the next [Gatekeeper policy](../../../open-policy-agent/authentication-user-management/disallow-anonymous-users/) in order to function. diff --git a/redhat-acm/authentication-user-management/gatekeeper-disallow-anonymous-auth/gatekeeper-disallow-anonymous-auth.yaml b/redhat-acm/authentication-user-management/gatekeeper-disallow-anonymous-auth/gatekeeper-disallow-anonymous-auth.yaml index 0af8ce9..f7fac21 100644 --- a/redhat-acm/authentication-user-management/gatekeeper-disallow-anonymous-auth/gatekeeper-disallow-anonymous-auth.yaml +++ b/redhat-acm/authentication-user-management/gatekeeper-disallow-anonymous-auth/gatekeeper-disallow-anonymous-auth.yaml @@ -1,4 +1,3 @@ ---- apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: @@ -38,9 +37,8 @@ spec: rego: | package k8sdisallowanonymous violation[{"msg": msg}] { - input.review.object.kind == "ClusterRoleBinding" review(input.review.object.subjects[_]) - msg := sprintf("Unauthenticated user is not allowed in ClusterRoleBinding %v ", [input.review.object.metadata.name]) + msg := sprintf("Unauthenticated user reference is not allowed in %v %v ", [input.review.object.kind, input.review.object.metadata.name]) } review(subject) = true { @@ -62,6 +60,8 @@ spec: kinds: - apiGroups: ["rbac.authorization.k8s.io"] kinds: ["ClusterRoleBinding"] + - apiGroups: ["rbac.authorization.k8s.io"] + kinds: ["RoleBinding"] - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 kind: ConfigurationPolicy @@ -123,4 +123,4 @@ spec: type: ManagedClusterConditionAvailable clusterSelector: matchExpressions: - - { key: environment, operator: In, values: ["dev"] } + - { key: environment, operator: In, values: ["dev"] } \ No newline at end of file