From 37ec1723f706be330ef23a6f50304dbb726ceb6b Mon Sep 17 00:00:00 2001 From: Lisa Kim Date: Tue, 5 Nov 2024 13:37:20 -0800 Subject: [PATCH 1/3] Add doc on new field --- .../access-requests/resource-requests.mdx | 66 +++++++++++++++++++ docs/pages/includes/role-spec.mdx | 7 ++ 2 files changed, 73 insertions(+) diff --git a/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx b/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx index 569e29df64358..4a91be365ac0a 100644 --- a/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx +++ b/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx @@ -406,6 +406,72 @@ Requesting access to a Kubernetes Namespace allows you to access all resources in that namespace but you won't be able to access any other supported resources in the cluster. +##### Enforce users to request only allowed Kubernetes Resources + +The `request.kubernetes_resources` field allows you to restrict what kinds of Kubernetes +resources a user can access request to. + +The following role assigned to a user, restricts access requesting to only Kubernetes namespaces. +If a user attempts to make a request to Kubernetes resources other than `namespace` then the request +will be rejected: + +```yaml +kind: role +metadata: + name: requester-kube-access +version: v7 +spec: + allow: + request: + search_as_roles: + - "kube-access" + kubernetes_resources: + - kind: "namespace" + deny: {} +``` + +The following role assigned to a user, restricts access requesting to only Kubernetes namespaces and/or pods. + +```yaml +kind: role +metadata: + name: requester-kube-access +version: v7 +spec: + allow: + request: + search_as_roles: + - "kube-access" + kubernetes_resources: + - kind: "namespace" + - kind: "pod" + deny: {} +``` + +The following role assigned to a user, restricts users from access requesting to a Kubernetes cluster but +allows requesting to any Kubernetes resources: + +```yaml +kind: role +metadata: + name: requester-kube-access +version: v7 +spec: + allow: + request: + search_as_roles: + - "kube-access" + kubernetes_resources: + - kind: "*" + deny: {} +``` + +By default, when `request.kubernetes_resources` field is not configured, there are no enforcements and +a user can make request to any Kubernetes resources including its cluster. + +See related section about [Kubernetes Resources](../../../../enroll-resources/kubernetes-access/controls.mdx/#kubernetes_resources) +to see a list of supported `kind`. Note that only the `kind` field is supported. + #### `db` You can restrict access to searching `db` resources by assigning values to the diff --git a/docs/pages/includes/role-spec.mdx b/docs/pages/includes/role-spec.mdx index 3030a255d21f0..2c81b1a31858a 100644 --- a/docs/pages/includes/role-spec.mdx +++ b/docs/pages/includes/role-spec.mdx @@ -350,6 +350,13 @@ spec: # resources accessible by the listed roles (enterprise-only) search_as_roles: ['access'] + # 'kubernetes_resources' restricts what kinds of Kubernetes resources + # a user can access request to. The example defined below, enforces users to + # request only Kubernetes namespaces. Default (when nothing is defined) allows + # any Kubernetes resource request. + kubernetes_resources: + - kind: "namespace" + # thresholds specifies minimum amount of approvers and deniers, # defaults to 1 for both (enterprise-only) thresholds: From f38fdf12e99b04ff415446222d0941713a64e9a5 Mon Sep 17 00:00:00 2001 From: Lisa Kim Date: Tue, 5 Nov 2024 16:15:40 -0800 Subject: [PATCH 2/3] Address reviews --- .../access-requests/resource-requests.mdx | 31 ++++++++++--------- docs/pages/includes/role-spec.mdx | 4 +-- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx b/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx index 4a91be365ac0a..62c4409c93872 100644 --- a/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx +++ b/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx @@ -406,14 +406,17 @@ Requesting access to a Kubernetes Namespace allows you to access all resources in that namespace but you won't be able to access any other supported resources in the cluster. -##### Enforce users to request only allowed Kubernetes Resources +##### Restrict Access Requests to specific Kubernetes resources The `request.kubernetes_resources` field allows you to restrict what kinds of Kubernetes -resources a user can access request to. +resources a user can request access to. Configuring this field to any value will disallow +requesting access to the entire Kubernetes cluster. -The following role assigned to a user, restricts access requesting to only Kubernetes namespaces. -If a user attempts to make a request to Kubernetes resources other than `namespace` then the request -will be rejected: +If the `request.kubernetes_resources` field is not configured, then a user can request access +to any Kubernetes resources, including the entire Kubernetes cluster. + +The following role allows users to request access to Kubernetes namespaces. +Requests for Kubernetes resources other than `namespace` will not be allowed. ```yaml kind: role @@ -427,10 +430,9 @@ spec: - "kube-access" kubernetes_resources: - kind: "namespace" - deny: {} ``` -The following role assigned to a user, restricts access requesting to only Kubernetes namespaces and/or pods. +The following role allows users to request access only to Kubernetes namespaces and/or pods. ```yaml kind: role @@ -445,11 +447,9 @@ spec: kubernetes_resources: - kind: "namespace" - kind: "pod" - deny: {} ``` -The following role assigned to a user, restricts users from access requesting to a Kubernetes cluster but -allows requesting to any Kubernetes resources: +The following role allows users to request access to any specific Kubernetes resources. ```yaml kind: role @@ -463,14 +463,15 @@ spec: - "kube-access" kubernetes_resources: - kind: "*" - deny: {} ``` -By default, when `request.kubernetes_resources` field is not configured, there are no enforcements and -a user can make request to any Kubernetes resources including its cluster. - See related section about [Kubernetes Resources](../../../../enroll-resources/kubernetes-access/controls.mdx/#kubernetes_resources) -to see a list of supported `kind`. Note that only the `kind` field is supported. +to see a list of supported `kind` values. + +The `request.kubernetes_resources` field only restricts what `kinds` of Kubernetes resource requests are allowed. +To control Kubernetes access to these resources see +[Preventing unintended access to Kubernetes resources](./enroll-resources/kubernetes-access/controls.mdx//#preventing-unintended-access-to-kubernetes-resources) +section for more details. #### `db` diff --git a/docs/pages/includes/role-spec.mdx b/docs/pages/includes/role-spec.mdx index 2c81b1a31858a..caa60ae7e2503 100644 --- a/docs/pages/includes/role-spec.mdx +++ b/docs/pages/includes/role-spec.mdx @@ -351,9 +351,9 @@ spec: search_as_roles: ['access'] # 'kubernetes_resources' restricts what kinds of Kubernetes resources - # a user can access request to. The example defined below, enforces users to + # a user can request access to. In the below example, users can # request only Kubernetes namespaces. Default (when nothing is defined) allows - # any Kubernetes resource request. + # access requests to any Kubernetes resource or the entire cluster. kubernetes_resources: - kind: "namespace" From 0caafcfa8d2c25fb4b2ebca4c71de8a485912fe3 Mon Sep 17 00:00:00 2001 From: Lisa Kim Date: Thu, 7 Nov 2024 15:48:31 -0800 Subject: [PATCH 3/3] fix lint --- .../access-controls/access-requests/resource-requests.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx b/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx index 62c4409c93872..96520bfe90a89 100644 --- a/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx +++ b/docs/pages/admin-guides/access-controls/access-requests/resource-requests.mdx @@ -406,7 +406,7 @@ Requesting access to a Kubernetes Namespace allows you to access all resources in that namespace but you won't be able to access any other supported resources in the cluster. -##### Restrict Access Requests to specific Kubernetes resources +##### Restrict Access Requests to specific Kubernetes resource kinds The `request.kubernetes_resources` field allows you to restrict what kinds of Kubernetes resources a user can request access to. Configuring this field to any value will disallow @@ -465,12 +465,12 @@ spec: - kind: "*" ``` -See related section about [Kubernetes Resources](../../../../enroll-resources/kubernetes-access/controls.mdx/#kubernetes_resources) +See related section about [Kubernetes Resources](../../../enroll-resources/kubernetes-access/controls.mdx#kubernetes_resources) to see a list of supported `kind` values. The `request.kubernetes_resources` field only restricts what `kinds` of Kubernetes resource requests are allowed. To control Kubernetes access to these resources see -[Preventing unintended access to Kubernetes resources](./enroll-resources/kubernetes-access/controls.mdx//#preventing-unintended-access-to-kubernetes-resources) +[Preventing unintended access to Kubernetes resources](#preventing-unintended-access-to-kubernetes-resources) section for more details. #### `db`