Merge pull request #98 from wilreichert/crdprotect

add CRD protect policy
cruise-automation · Feb 24, 2021 · bb16666 · bb16666
2 parents c820a83 + 5cbe7e1
commit bb16666
Show file tree

Hide file tree

Showing 6 changed files with 618 additions and 65 deletions.
diff --git a/README.md b/README.md
@@ -46,6 +46,7 @@ k-rail is a workload policy enforcement tool for Kubernetes. It can help you sec
   - [Invalid Pod Disruption Budget](#invalid-pod-disruption-budget)
   - [No External IP on Service](#no-external-ip-on-service)
   - [Deny Unconfined AppArmor Policies](#deny-unconfined-apparmor-policies)
+  - [Protect CRD from accidental Deletion](#crd-protect)
 - [Configuration](#configuration)
   - [Webhook Configuration](#webhook-configuration)
   - [Logging](#logging)
@@ -466,6 +467,10 @@ Prevents providing External IPs on a Service to mitigate [CVE-2020-8554](https:/
 
 Prevents users from specifing an unconfined apparmor policy which can be used with other conditions to lead to [container escape](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/).
 
+## Protect CRD From Accidental Deletion
+
+When a Custom Resource Definition is deleted the corresponding Custom Resources are deleted as well. This creates the risk of accidentally destroying important data during regular maintenance. This policy allows the user to set the annotation `k-rail.crd.protect: enabled` on any CRD which will prevent its deletion if any children CRs exist.
+
 # Configuration
 
 For the Helm deployment, all configuration is contained in [`charts/k-rail/values.yaml`](charts/k-rail/values.yaml).

diff --git a/charts/k-rail/templates/deployment.yaml b/charts/k-rail/templates/deployment.yaml
@@ -28,12 +28,13 @@ webhooks:
         path: "/"
       caBundle: {{ b64enc $ca.Cert }}
     rules:
-      - operations: ["CREATE","UPDATE","CONNECT"]
+      - operations: ["CREATE","DELETE","UPDATE","CONNECT"]
         apiGroups: ["*"]
         apiVersions: ["*"]
         resources:
           - clusterrolebindings
           - cronjobs
+          - customresourcedefinitions
           - daemonsets
           - deployments
           - ingresses

diff --git a/go.mod b/go.mod
@@ -4,21 +4,15 @@ go 1.12
 
 require (
 	github.com/gobwas/glob v0.2.3
-	github.com/golang/protobuf v1.4.2 // indirect
 	github.com/gorilla/mux v1.7.3
-	github.com/json-iterator/go v1.1.10 // indirect
 	github.com/opencontainers/go-digest v1.0.0-rc1
 	github.com/sirupsen/logrus v1.6.0
-	golang.org/x/net v0.0.0-20200625001655-4c5254603344 // indirect
-	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d // indirect
-	golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae // indirect
-	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
-	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
 	gopkg.in/yaml.v2 v2.3.0 // indirect
-	k8s.io/api v0.18.10
-	k8s.io/apimachinery v0.18.10
-	k8s.io/client-go v0.18.10 //v11.0.0+incompatible
-	k8s.io/utils v0.0.0-20200324210504-a9aa75ae1b89
+	k8s.io/api v0.20.2
+	k8s.io/apiextensions-apiserver v0.20.2
+	k8s.io/apimachinery v0.20.2
+	k8s.io/client-go v0.20.2 //v11.0.0+incompatible
+	k8s.io/utils v0.0.0-20201110183641-67b214c5f920
 	sigs.k8s.io/yaml v1.2.0
 )