[kube] fix greedy deny rule blocking namespace list when blocking other resources #44893
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tigrato
force-pushed
the
tigrato/fix-kube-rbac
branch
from
1c595ee to
5642875
Compare
bl-nero
approved these changes
Aug 1, 2024
tigrato
force-pushed
the
tigrato/fix-kube-rbac
branch
from
5642875 to
0b875e1
Compare
…er resources
This PR fixes an edge case where the deny rule for blocking access to a resource becomes greedy and blocks access to the whole namespace.
eg:
```
allow:
kubernetes_labels:
'*': '*'
kubernetes_resources:
- kind: '*'
name: '*'
namespace: '*'
verbs:
- '*'
deny:
kubernetes_resources:
- kind: secret
name: '*'
namespace: '*'
verbs:
- '*'
```
With the example above, access to secrets must be blocked but the user is allowed to access every other resource in any namespace.
The previous model was greedy and blocked access to namespace list.
tigrato
force-pushed
the
tigrato/fix-kube-rbac
branch
from
0b875e1 to
37fadae
Compare
hugoShaka
approved these changes
Aug 1, 2024
public-teleport-github-review-bot
bot
removed the request for review
from fspmarshall
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
tigrato
added a commit
that referenced
this pull request
Aug 1, 2024
…er resources (#44893) * [kube] fix greedy deny rule blocking namespace list when blocking other resources This PR fixes an edge case where the deny rule for blocking access to a resource becomes greedy and blocks access to the whole namespace. eg: ``` allow: kubernetes_labels: '*': '*' kubernetes_resources: - kind: '*' name: '*' namespace: '*' verbs: - '*' deny: kubernetes_resources: - kind: secret name: '*' namespace: '*' verbs: - '*' ``` With the example above, access to secrets must be blocked but the user is allowed to access every other resource in any namespace. The previous model was greedy and blocked access to namespace list. * add extra test * handle comments
tigrato
added a commit
that referenced
this pull request
Aug 1, 2024
…er resources (#44893) * [kube] fix greedy deny rule blocking namespace list when blocking other resources This PR fixes an edge case where the deny rule for blocking access to a resource becomes greedy and blocks access to the whole namespace. eg: ``` allow: kubernetes_labels: '*': '*' kubernetes_resources: - kind: '*' name: '*' namespace: '*' verbs: - '*' deny: kubernetes_resources: - kind: secret name: '*' namespace: '*' verbs: - '*' ``` With the example above, access to secrets must be blocked but the user is allowed to access every other resource in any namespace. The previous model was greedy and blocked access to namespace list. * add extra test * handle comments
github-merge-queue bot
pushed a commit
that referenced
this pull request
Aug 1, 2024
…er resources (#44893) (#44975) * [kube] fix greedy deny rule blocking namespace list when blocking other resources This PR fixes an edge case where the deny rule for blocking access to a resource becomes greedy and blocks access to the whole namespace. eg: ``` allow: kubernetes_labels: '*': '*' kubernetes_resources: - kind: '*' name: '*' namespace: '*' verbs: - '*' deny: kubernetes_resources: - kind: secret name: '*' namespace: '*' verbs: - '*' ``` With the example above, access to secrets must be blocked but the user is allowed to access every other resource in any namespace. The previous model was greedy and blocked access to namespace list. * add extra test * handle comments
github-merge-queue bot
pushed a commit
that referenced
this pull request
Aug 1, 2024
…er resources (#44893) (#44976) * [kube] fix greedy deny rule blocking namespace list when blocking other resources This PR fixes an edge case where the deny rule for blocking access to a resource becomes greedy and blocks access to the whole namespace. eg: ``` allow: kubernetes_labels: '*': '*' kubernetes_resources: - kind: '*' name: '*' namespace: '*' verbs: - '*' deny: kubernetes_resources: - kind: secret name: '*' namespace: '*' verbs: - '*' ``` With the example above, access to secrets must be blocked but the user is allowed to access every other resource in any namespace. The previous model was greedy and blocked access to namespace list. * add extra test * handle comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes an edge case where the deny rule for blocking access to a resource becomes greedy and blocks access to the whole namespace.
eg:
With the example above, access to secrets must be blocked but the user is allowed to access every other resource in any namespace. The previous model was greedy and blocked access to namespace list.
Changelog: Prevent Kubernetes per-Resource RBAC from blocking access to namespaces when denying access to a single resource kind in every namespace.