-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor Non-Employee RBAC Model #1335
Comments
Collin End to End TestingTesting Steps
Deny SAS pod created through If a user circumvents the UI and tries to e.g. create a pod resource by running A non-exception user was added to the namespace Test case apiVersion: apps/v1
kind: Deployment
metadata:
name: test-create-sas-pod
namespace: aaw-fc
labels:
app: sas
spec:
replicas: 1
selector:
matchLabels:
app: sas
template:
metadata:
labels:
app: sas
spec:
containers:
- name: sas
image: k8scc01covidacr.azurecr.io/sas:latest
Conditions:
Type Status Reason
---- ------ ------
ReplicaFailure True FailedCreate
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning FailedCreate 3s (x2 over 16s) replicaset-controller Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [denyemployeeonlyfeatures] Pod has state.aaw.statcan.gc.ca/exists-non-sas-notebook-user=true and container uses a SAS image k8scc01covidacr.azurecr.io/sas:latest Try and add rolebinding manually with If a user circumvents the web UI and tries to create an invalid rolebinding manually with Test Case The namespace I try to add the following rolebinding manually: apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: invalid-rb
namespace: aaw-fc
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubeflow-edit
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: bob.doe@externalemployee.ca The following error is returned: Error from server ([denyexternalusers] Profile aaw-fc has state.aaw.statcan.gc.ca/has-sas-notebook-feature=true): error when creating "test-rb.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [denyexternalusers] Profile aaw-fc has state.aaw.statcan.gc.ca/has-sas-notebook-feature=true |
Deployment to Production Environment
Post Deployment Items
|
@Collinbrown95 , I hope as is well, Are we still going to be hitting the deadline for the end of day? |
Overview
Given new requirements around "deemed" employees who have access to some (but not all) employee-only features, we need a more fine-grained model of RBAC than the current set of labels provided by the
aaw-profiles-state-controller
.Proposed Solution
Instead of classifying namespaces as containing non-employees or being employee only, what if namespaces received a series of labels corresponding to capabilities. In this way, exception lists could be specified for each capability, and namespaces could receive labels based on the intersection of its members' capability lists (i.e. the namespace receives the least permissive combination of individual members' capabilities).
Observations
Caveats
john.doe@external.ca
is added as an exception, then a notebook is created, and thenjohn.doe@external.ca
is removed,john.doe@external.ca
is still able to access the notebook that was created when he had access. Therefore, an admin would also need to remove him from the namespace and/or delete the SAS notebook to bring the system back into a consistent state.Remaining TODO Items
@Souheil-Yazji , @bryanpaget , and @Collinbrown95 to independently do end-to-end testing on dev cluster once refactors from code review have been implemented, then report back and consolidate findings.
Deploy change into aaw-prod once sufficient testing has been done and the feature is properly documented.
Required Changes
aaw-profile-state-controller
DRAFT: @cbrown/1335 non employee rbac gatekeeper-policies#44deny-external-users
label changed to match https://github.com/StatCan/aaw-gatekeeper-constraints/pull/15aaw-kubeflow-profiles
https://github.com/StatCan/aaw-kubeflow-profiles/pull/99aaw-developer-docs
to reflect the changes to how profile-state-controller works. DRAFT: docs(non-employee-rbac) aaw-developer-docs#2Bug Fix PRs
non-employee-users
configmapDeployment PRs
kubectl apply
manually to testkubectl apply -f pod-security-policy/deny-employee-only-features/template.yaml
andkubectl apply -f general/deny-external-users/template.yaml
kubectl apply
manually to testkubectl apply -f deny-external-users/constraint.yaml
Quality Assurance TODO Items
Refactors after code review
Figure out how to parse yaml file from configmap in rego policy (specifically need to get values from list inThis can be refactored later; current implementation passes list of exceptions as parameters; unit tests are included for both affected gatekeeper policies.non-employee-exceptions
configmap.Implementation Details
This implementation proposes two kinds of feature capabilities: (1) Pod/Notebook features and (2) Namespace features.
For example, the SAS notebook feature is a Pod/notebook feature because it requires deploying a specific kind of notebook into a namespace, whereas cloud-main-connectivity is a namespace feature because routing pod traffic through the egress gateway is determined by rules that are applied at the level of the namespace.
The semantics for labels behind each feature work as follows.
Pod/Notebook Feature
The profile state controller applies a label of the form
has-X-feature
if any pod/notebook in the namespace has that feature (e.g. a pod with the sas image). Additionally, the profile state controller applies a label of the formexists-non-X-user
if any subject in any rolebinding in the namespace is not an employee or not in the list of exceptions for that capability. The profiles state controller will apply the following labels to the profile and namespace:has-X-feature: true
if any pod in the namespace has that featureexists-non-X-user: true
if any subject in any role binding is not an employee or is not in the exception list for that capability.If a non-employee without an exception is added to a rolebinding in a namespace where the label
has-X-feature: true
is present, a gatekeeper policy blocks this request.If a pod with
X-feature
is added to a namespace where the labelexists-non-X-user
is present, a gatekeeper policy blocks this request.Namespace Feature
A namespace feature only requires the logic surrounding the
exists-non-X-user
label described above. In the case of cloud-main connectivity, thecloud-main
andnetwork
controllers inaaw-kubeflow-profiles-controller
should automatically reconcile the network policies / virtual services involved if a namespace does not have the cloud main connectivity capability. No gatekeeper policy should be required.Test Cases
Unit Tests
We should unit test the following cases for profile-state-controller - profiles-state-controller is already set up to handle unit testing, so we just need to add the following test cases (then there is no uncertainty as to whether the RBAC logic for labels is applied correctly).
state.aaw.statcan.gc.ca/exists-non-sas-notebook-user: false
andstate.aaw.statcan.gc.ca/exists-non-cloud-main-user: false
state.aaw.statcan.gc.ca/exists-non-sas-notebook-user: false
andstate.aaw.statcan.gc.ca/exists-non-cloud-main-user: true
state.aaw.statcan.gc.ca/exists-non-sas-notebook-user: true
andstate.aaw.statcan.gc.ca/exists-non-cloud-main-user: false
state.aaw.statcan.gc.ca/exists-non-sas-notebook-user: true
andstate.aaw.statcan.gc.ca/exists-non-cloud-main-user: true
state.aaw.statcan.gc.ca/exists-non-sas-notebook-user: false
andstate.aaw.statcan.gc.ca/exists-non-cloud-main-user: false
state.aaw.statcan.gc.ca/exists-non-sas-notebook-user: true
andstate.aaw.statcan.gc.ca/exists-non-cloud-main-user: true
state.aaw.statcan.gc.ca/exists-non-sas-notebook-user: true
andstate.aaw.statcan.gc.ca/exists-non-cloud-main-user: true
End-to-end tests
Verify that all of the original logic for profile-state controller works. I.e.
Also need to test that the interaction with cloud main connectivity works correctly. I.e.
The text was updated successfully, but these errors were encountered: