Home / server / Questions / 1029484
Accepted
rookie099
Asked: 2020-08-11 00:02:22 +0800 CST

Authenticated user can still create Kubernetes pods despite restrictred PodSecurityPolicy in place

  • 772

I am trying to get started with PodSecurityPolicy on a bare-metal Kubernetes 1.18.3 cluster with user management provided by Keycloak. psp/restricted should apply in namespace/restricted (both for a specific user user and the namespace's serviceaccount/default) , and psp/unrestricted should apply in namespace/unrestricted. I have the basics working (admission controller PodSecurityPolicy installed, etc.), and the following resources are in place:

apiVersion: v1
kind: List
items:
- kind: Role
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: user
    namespace: restricted
  rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
- kind: RoleBinding
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: user
    namespace: restricted
  subjects:
  - kind: Group
    name: user
    apiGroup: rbac.authorization.k8s.io
  roleRef:
    kind: Role
    name: user
    apiGroup: rbac.authorization.k8s.io
- kind: PodSecurityPolicy
  apiVersion: policy/v1beta1
  kind: PodSecurityPolicy
  metadata:
    name: restricted
  spec:
    privileged: false
    seLinux:
      rule: RunAsAny
    supplementalGroups:
      rule: RunAsAny
    runAsUser:
      rule: RunAsAny
    fsGroup:
      rule: RunAsAny
    volumes:
    - '*'
- kind: PodSecurityPolicy
  apiVersion: policy/v1beta1
  kind: PodSecurityPolicy
  metadata:
    name: unrestricted
  spec:
    privileged: true
    hostNetwork: true
    seLinux:
      rule: RunAsAny
    supplementalGroups:
      rule: RunAsAny
    runAsUser:
      rule: RunAsAny
    fsGroup:
      rule: RunAsAny
    volumes:
    - '*'
- kind: ClusterRole
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: restricted
  rules:
  - apiGroups: ["policy"]
    resources: ["podsecuritypolicies"]
    verbs: ["use"]
    resourceNames:
    - restricted
- kind: ClusterRole
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: unrestricted
  rules:
  - apiGroups: ["policy"]
    resources: ["podsecuritypolicies"]
    verbs: ["use"]
    resourceNames:
    - unrestricted
- kind: ClusterRoleBinding
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: restricted
  subjects:
  - kind: ServiceAccount
    name: default
    namespace: restricted
  - kind: User
    name: user
    apiGroup: rbac.authorization.k8s.io
  roleRef:
    kind: ClusterRole
    name: restricted
    apiGroup: rbac.authorization.k8s.io
- kind: ClusterRoleBinding
  apiVersion: rbac.authorization.k8s.io/v1
  metadata:
    name: unrestrictied
  subjects:
  - kind: Group
    name: system:nodes
    apiGroup: rbac.authorization.k8s.io
  - kind: ServiceAccount
    name: default
    namespace: unrestricted
  roleRef:
    kind: ClusterRole
    name: unrestricted
    apiGroup: rbac.authorization.k8s.io

In terms of use permission, everything looks as expected, e.g.:

kubectl auth can-i use podsecuritypolicy/restricted --as user --as-group=system:authenticated # yes
kubectl auth can-i use podsecuritypolicy/unrestricted --as user --as-group=system:authenticated # no

But what I observe is that while serviceaccount:restricrted:default cannot created privileged pods in namespace/restricted, user user apparently still can (at a time when that user is authenticated to the cluster):

kubectl create -f - <<EOF # succeeds (as expected)
apiVersion: v1
kind: Pod
metadata:
  name: unprivileged-test-pod
  namespace: restricted
spec:
  containers:
  - name:  pause
    image: k8s.gcr.io/pause
EOF
kubectl create -f - <<EOF # succeeds (unexpected)
apiVersion: v1
kind: Pod
metadata:
  name: privileged-test-pod
  namespace: restricted
spec:
  containers:
  - name:  pause
    image: k8s.gcr.io/pause
    securityContext:
      privileged: true
EOF

Both created containers bear an annotation kubernetes.io/psp: unrestricted, whereas I would have expected the creation of pod/unrestricted for when user user is authenticated in to fail. Things work as expected with kubectl create deployment (i.e. creation of the restricted unrestrictred deployments both indirectly by serviceaccount:default in namespace restricted succeed and fail respectively. Somehow the user (but not the service account appears to be bound to a too wide security policy.

What am I missing? How can I further diagnose the and solve the problem (i.e. prevent both serviceaccount/default in namespace/restricted and user user from creating privileged pods in namespace/restricted?

UPDATE I think I have now isolated to root cause, but do not know a good solution yet. It would appear that resources: ["*"], verbs: ["*"] in role/user also grants permission to use any (cluster-wide) resource psp. This is unintended: I want for role/user to permit user the "usual" activities inside namespace/restricted, not let it use each and any psp as well.

security kubernetes

1 Answers

  1. Best Answer

    The diagnosis (see UPDATE) was correct. The solution consisted in switching from the proprietary role/user (with too encompassing permissions {apiGroups: ["*"], resources: ["*"], verbs: ["*"]} to the Kubernetes default clusterrole/edit (which specifically excludes apiGroup: "policy", resource: "podsecuritypolicy", verb: "use".

    • 1