Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Question] How to match PATCH requests? #1138

Open
Da-Juan opened this issue Aug 27, 2024 · 8 comments
Open

[Question] How to match PATCH requests? #1138

Da-Juan opened this issue Aug 27, 2024 · 8 comments

Comments

@Da-Juan
Copy link

Da-Juan commented Aug 27, 2024

Hi,

I'm looking to create a validate policy to allow users to use kubectl rollout restart.
Rollout restart creates a PATCH request that sets the annotation kubectl.kubernetes.io/restartedAt on the resources.

I tried with a match on UPDATE operations but it doesn't seem to catch PATCH requests.

Do you have any idea if it is possible to create such policy?

Thanks

@realshuting
Copy link
Member

What resource are you selecting in the policy? Can you share the policy please?

@Da-Juan
Copy link
Author

Da-Juan commented Aug 30, 2024

I tried to select deployments, statefulsets and daemonsets as we allow patch only on these resources with the RBAC.

Here is the policy I tried:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: restrict-patch-to-rollout-restart
spec:
  validationFailureAction: Enforce
  background: false
  rules:
    - name: restrict-patch
      match:
        any:
          - resources:
              kinds:
                - Deployment
                - StatefulSet
                - DaemonSet
              operations:
                - UPDATE
            clusterRoles:
              - namespace-owner
      validate:
        message: "PATCH is allowed only for rollout-restarts"
        pattern:
          metadata:
            annotations:
              kubectl.kubernetes.io/restartedAt: "?*"

@realshuting
Copy link
Member

Does the policy work if you remove this?

            clusterRoles:
              - namespace-owner

@Da-Juan
Copy link
Author

Da-Juan commented Aug 30, 2024

I just tried this I can perform a rollout restart on my test deployment but I can also do a kubectl edit on the deployment and change the requests/limits for example.

Here is my test deployment manifest:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx
        resources:
          requests:
            memory: "32Mi"
            cpu: "250m"
          limits:
            memory: "32Mi"
            cpu: "500m"

@realshuting
Copy link
Member

When you define a clusterroles in the match block it means only requests sent by the ClusterRolenamespace-owner are processed.

@Da-Juan
Copy link
Author

Da-Juan commented Aug 30, 2024

Yes, that's what I want.
I want my policy to match only namespace owners users but not other service accounts like fluxcd for example.

@realshuting
Copy link
Member

Yes, that's what I want. I want my policy to match only namespace owners users but not other service accounts like fluxcd for example.

Is your namespace owner defined by the clusterrole namespace-owner? If not, you need to specify the exact names of those clusterroles. You can also inspect the user info in admission requests by setting --dumpPayload container flag for the admission controller.

@Da-Juan
Copy link
Author

Da-Juan commented Aug 30, 2024

Yes the namespace owners are users that have a RoleBinding on the namespace-owner ClusterRole.
But this is not my problem here.

What I'm looking to do is to allow my namespace owners to use kubectl rollout restart but forbid them to use kubectl edit on the same resources.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants