DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add OPA examples on pathType restrictions (#9992)

Browse source
This commit is contained in:
Ricardo Katz 2023-05-25 11:18:52 -03:00 committed by GitHub
parent 8d9210fd38
commit 897783557a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 132 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
docs/examples/openpolicyagent/README.md Normal file
View file

@ -0,0 +1,25 @@
# OpenPolicyAgent and pathType enforcing
Ingress API allows users to specify different [pathType](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types)
on Ingress object.
While pathType `Exact` and `Prefix` should allow only a small set of characters, pathType `ImplementationSpecific`
allows any characters, as it may contain regexes, variables and other features that may be specific of the Ingress
Controller being used.
This means that the Ingress Admins (the persona who deployed the Ingress Controller) should trust the users
allowed to use `pathType: ImplementationSpecific`, as this may allow arbitrary configuration, and this
configuration may end on the proxy (aka Nginx) configuration.
## Example
The example in this repo uses [Gatekeeper](https://open-policy-agent.github.io/gatekeeper/website/) to block the usage of `pathType: ImplementationSpecific`,
allowing just a specific list of namespaces to use it.
It is recommended that the admin modifies this rules to enforce a specific set of characters when the usage of ImplementationSpecific
is allowed, or in ways that best suits their needs.
First, the `ConstraintTemplate` from [template.yaml](template.yaml) will define a rule that validates if the Ingress object
is being created on an excempted namespace, and case not, will validate its pathType.
Then, the rule `K8sBlockIngressPathType` contained in [rule.yaml](rule.yaml) will define the parameters: what kind of
object should be verified (Ingress), what are the excempted namespaces, and what kinds of pathType are blocked.

14
docs/examples/openpolicyagent/rule.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockIngressPathType
metadata:
name: implspecificisblocked
spec:
match:
kinds:
- apiGroups: ["networking.k8s.io"]
kinds: ["Ingress"]
parameters:
namespacesExceptions:
- "privileged"
blockedTypes:
- "ImplementationSpecific"

40
docs/examples/openpolicyagent/template.yaml Normal file
View file

@ -0,0 +1,40 @@
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
name: k8sblockingresspathtype
annotations:
metadata.gatekeeper.sh/title: "Block a pathType usage"
description: >-
Users should not be able to use specific pathTypes
spec:
crd:
spec:
names:
kind: K8sBlockIngressPathType
validation:
openAPIV3Schema:
type: object
properties:
blockedTypes:
type: array
items:
type: string
namespacesExceptions:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package K8sBlockIngressPathType
violation[{"msg": msg}] {
input.review.kind.kind == "Ingress"
ns := input.review.object.metadata.namespace
excemptNS := [good | excempts = input.parameters.namespacesExceptions[_] ; good = excempts == ns]
not any(excemptNS)
pathType := object.get(input.review.object.spec.rules[_].http.paths[_], "pathType", "")
blockedPath := [blocked | blockedTypes = input.parameters.blockedTypes[_] ; blocked = blockedTypes == pathType]
any(blockedPath)
msg := sprintf("pathType '%v' is not allowed in this namespace", [pathType])
}

18
docs/examples/openpolicyagent/tests/should-allow-ns-except.yaml Normal file
View file

@ -0,0 +1,18 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
creationTimestamp: null
name: simple
namespace: privileged
spec:
rules:
- host: foo1.com
http:
paths:
- backend:
service:
name: svc1
port:
number: 8080
path: /bar
pathType: ImplementationSpecific

17
docs/examples/openpolicyagent/tests/should-allow.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
creationTimestamp: null
name: simple
spec:
rules:
- host: foo.com
http:
paths:
- backend:
service:
name: svc1
port:
number: 8080
path: /bar
pathType: Exact

17
docs/examples/openpolicyagent/tests/should-deny.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
creationTimestamp: null
name: simple
spec:
rules:
- host: foo2.com
http:
paths:
- backend:
service:
name: svc1
port:
number: 8080
path: /bar
pathType: ImplementationSpecific

1
mkdocs.yml
View file

@ -126,6 +126,7 @@ nav:
- Static IPs: "examples/static-ip/README.md" - Static IPs: "examples/static-ip/README.md"
- TLS termination: "examples/tls-termination/README.md" - TLS termination: "examples/tls-termination/README.md"
- Pod Security Policy (PSP): "examples/psp/README.md" - Pod Security Policy (PSP): "examples/psp/README.md"
- Open Policy Agent rules: "examples/openpolicyagent/README.md"
- Developer Guide: - Developer Guide:
- Getting Started: "developer-guide/getting-started.md" - Getting Started: "developer-guide/getting-started.md"
- Code Overview: "developer-guide/code-overview.md" - Code Overview: "developer-guide/code-overview.md"