How to restrict pod forwarding to tiller using rego

[subravi92]

Hello, I am trying to restrict port forwarding to the tiller. I am not able to match subresource. for some reason, it is not working. tried in 2 ways.. any pointers would be helpful.

package kubernetes.admission
kind = {"Deployment","Pod","Service"}
deny[reason] {
    kind[input.request.kind.kind]
    input.request.subresource == "port-forward"
    name := input.request.object.metadata.name
    startswith(name,"tiller")
    reason := sprintf("You are not allowed to port-forward to tiller from %v namespace",[input.request.namespace]) 
}
package kubernetes.admission

deny[reason] {
    input.request.kind.kind == "PodPortForwardOptions"
    input.request.resource.resource == "pods"
    input.request.subResource == "portforward"
    name := input.request.object.metadata.name
    startswith(name,"tiller")
    reason := sprintf("You are not allowed to port-forward to tiller from %v namespace",[input.request.namespace])
}

[anderseknert]

Hi @subravi92 👋

The second deny rule is almost there. However, it doesn't look like the metadata from the pod is carried into the PodPortForwardOptions admission review, so your rule fails at this line:

name := input.request.object.metadata.name

The name of the pod seems to be reflected in input.request.name though, so you could use that instead:

enforce[reason] {
    input.request.kind.kind == "PodPortForwardOptions"
    input.request.resource.resource == "pods"
    input.request.subResource == "portforward"
    name := input.request.name
    startswith(name, "tiller")
    reason := sprintf("You are not allowed to port-forward to tiller from %v namespace", [input.request.namespace])
}

I can recommend enabling the decision logging capabilities of OPA when you debug things like this, as it will allow you to see the full admission review object sent from the kubernetes API server.

[jsarkar]

Do you mind to also post the version of opa?
mine is kube-mgmt :3.0.0 and opa:0.32.0
I have included all resources in the webhook. But still the same policy is not working for me

      service:
        name: opa
        namespace: opa
        port: 443
    failurePolicy: Ignore
    matchPolicy: Equivalent
    name: webhook.openpolicyagent.org
    namespaceSelector:
      matchExpressions:
      - key: openpolicyagent.org/webhook
        operator: NotIn
        values:
        - ignore
    objectSelector: {}
    rules:
    - apiGroups:
      - '*'
      apiVersions:
      - '*'
      operations:
      - '*'
      resources:
      - '*'
      scope: '*'
    sideEffects: None
    timeoutSeconds: 10
    ```

[anderseknert]

I know it's not intuitive, but * does not include all resources (i.e. no subresources). See the Kubernetes docs on how to include those. If you just want to try everything you could use */*, then you could try to scope it down to pods/* once you have something working.

[jsarkar]

sorry...that's my mistake while copy/pest. The validation webhook config look like this:

rules:
  - apiGroups:
    - '*'
    apiVersions:
    - '*'
    operations:
    - CREATE
    - UPDATE
    - DELETE
    resources:
    - '*/*'

is it could be opa/kube-mgmt version? I have tested with latest opa/kube-mgmt and old. Both are not working for me.I don't even see the subresource shows up in opa log.

Here are 2 version details, which I have tried:
kube-mgmt:0.10
opa:0.23.2-rootless
and
kube-mgmt :3.0.0
opa:0.32.0

[anderseknert]

OPA or kube-mgmt version won't matter - If you can't see the admission review object sent from the API server, it must be a misconfiguration in the validating webhook configuration. No version of OPA will be able to send a decision without being asked to ;) You'll need to allow CONNECT operations as well...

[jsarkar]

That's exactly we figured. We were missing CONNECT operation in webhook.