fix: AdmissionPolicyGroup must not have context aware resources

Prior to this commit, it was possible to declare AdmissionPolicyGroup
resources with policies that had context aware resources.

Context awareness allows a policy to query the Kubernetes API with `list`
and `get` verbs. The queries are run using the ServiceAccount of the
Policy Server instance that hosts the policy.

AdmissionPolicyGroup are namespaced CRDs which can be created by
non-admin Kubernetes users.
The ability to deploy AdmissionPolicyGroup with context aware resources
exposes the cluster to potential leaks of data.
For example, a non-admin user, might create an AdmissionPolicyGroup with
one of its policies that has access to Kubernetes Secrets. The policy
would then be able to `get` Secrets that are not available to the
non-admin user (if the Policy Server is running with a ServiceAccount
that has been explicitly configured to have `get` access to all the
Secrets of the cluster).

This commit fixes the by removing the `ContextAwareResources` field
from the `AdmissionPolicyGroup`.

== What happens after this commit is deployed

The existing AdmissionPolicyGroup will be automatically updated and they
will lose their `.spec.policies.[*].ContextAwareResources` field (if set).

The kubewarden controller will also automatically reconcile the Policy
Server configuration.

Signed-off-by: Flavio Castelli <[email protected]>

Author: flavio

api/policies/v1/admissionpolicygroup_types.go

@@ -75,11 +75,7 @@ func (r *AdmissionPolicyGroup) SetPolicyModeStatus(policyMode PolicyModeStatus)
 }
 
 func (r *AdmissionPolicyGroup) IsContextAware() bool {
-	for _, policy := range r.Spec.Policies {
-		if len(policy.ContextAwareResources) > 0 {
-			return true
-		}
-	}
+	// We return false here because AdmissionPolicyGroup have no access to context aware resources.
 	return false
 }
 
@@ -91,8 +87,17 @@ func (r *AdmissionPolicyGroup) GetModule() string {
 	return ""
 }
 
-func (r *AdmissionPolicyGroup) GetPolicyGroupMembers() PolicyGroupMembers {
-	return r.Spec.Policies
+func (r *AdmissionPolicyGroup) GetPolicyGroupMembersWithContext() PolicyGroupMembersWithContext {
+	policies := make(PolicyGroupMembersWithContext)
+	for name, policy := range r.Spec.Policies {
+		policies[name] = PolicyGroupMemberWithContext{
+			PolicyGroupMember: policy,
+			// AdmissionPolicyGroup does not have access to context aware resources.
+			ContextAwareResources: []ContextAwareResource{},
+		}
+	}
+
+	return policies
 }
 
 func (r *AdmissionPolicyGroup) GetSettings() runtime.RawExtension {

api/policies/v1/clusteradmissionpolicygroup_types.go

@@ -22,9 +22,19 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 )
 
+type ClusterPolicyGroupSpec struct {
+	GroupSpec `json:""`
+
+	// Policies is a list of policies that are part of the group that will
+	// be available to be called in the evaluation expression field.
+	// Each policy in the group should be a Kubewarden policy.
+	// +kubebuilder:validation:Required
+	Policies PolicyGroupMembersWithContext `json:"policies"`
+}
+
 // ClusterAdmissionPolicyGroupSpec defines the desired state of ClusterAdmissionPolicyGroup.
 type ClusterAdmissionPolicyGroupSpec struct {
-	PolicyGroupSpec `json:""`
+	ClusterPolicyGroupSpec `json:""`
 
 	// NamespaceSelector decides whether to run the webhook on an object based
 	// on whether the namespace for that object matches the selector. If the
@@ -148,7 +158,7 @@ func (r *ClusterAdmissionPolicyGroup) GetStatus() *PolicyStatus {
 	return &r.Status
 }
 
-func (r *ClusterAdmissionPolicyGroup) GetPolicyGroupMembers() PolicyGroupMembers {
+func (r *ClusterAdmissionPolicyGroup) GetPolicyGroupMembersWithContext() PolicyGroupMembersWithContext {
 	return r.Spec.Policies
 }
 

api/policies/v1/factories.go

@@ -314,12 +314,14 @@ func (f *AdmissionPolicyGroupFactory) Build() *AdmissionPolicyGroup {
 		},
 		Spec: AdmissionPolicyGroupSpec{
 			PolicyGroupSpec: PolicyGroupSpec{
-				PolicyServer:    f.policyServer,
-				Policies:        f.policyMembers,
-				Expression:      f.expression,
-				Rules:           f.rules,
-				MatchConditions: f.matchConds,
-				Mode:            f.mode,
+				GroupSpec: GroupSpec{
+					PolicyServer:    f.policyServer,
+					Expression:      f.expression,
+					Rules:           f.rules,
+					MatchConditions: f.matchConds,
+					Mode:            f.mode,
+				},
+				Policies: f.policyMembers,
 			},
 		},
 	}
@@ -330,7 +332,7 @@ type ClusterAdmissionPolicyGroupFactory struct {
 	policyServer  string
 	rules         []admissionregistrationv1.RuleWithOperations
 	expression    string
-	policyMembers PolicyGroupMembers
+	policyMembers PolicyGroupMembersWithContext
 	matchConds    []admissionregistrationv1.MatchCondition
 	mode          PolicyMode
 }
@@ -353,12 +355,16 @@ func NewClusterAdmissionPolicyGroupFactory() *ClusterAdmissionPolicyGroupFactory
 			},
 		},
 		expression: "pod_privileged() && user_group_psp()",
-		policyMembers: PolicyGroupMembers{
+		policyMembers: PolicyGroupMembersWithContext{
 			"pod_privileged": {
-				Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
+				PolicyGroupMember: PolicyGroupMember{
+					Module: "registry://ghcr.io/kubewarden/tests/pod-privileged:v0.2.5",
+				},
 			},
 			"user_group_psp": {
-				Module: "registry://ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+				PolicyGroupMember: PolicyGroupMember{
+					Module: "registry://ghcr.io/kubewarden/tests/user-group-psp:v0.4.9",
+				},
 			},
 		},
 		matchConds: []admissionregistrationv1.MatchCondition{
@@ -378,7 +384,7 @@ func (f *ClusterAdmissionPolicyGroupFactory) WithPolicyServer(policyServer strin
 	return f
 }
 
-func (f *ClusterAdmissionPolicyGroupFactory) WithMembers(members PolicyGroupMembers) *ClusterAdmissionPolicyGroupFactory {
+func (f *ClusterAdmissionPolicyGroupFactory) WithMembers(members PolicyGroupMembersWithContext) *ClusterAdmissionPolicyGroupFactory {
 	f.policyMembers = members
 	return f
 }
@@ -413,13 +419,15 @@ func (f *ClusterAdmissionPolicyGroupFactory) Build() *ClusterAdmissionPolicyGrou
 			},
 		},
 		Spec: ClusterAdmissionPolicyGroupSpec{
-			PolicyGroupSpec: PolicyGroupSpec{
-				PolicyServer:    f.policyServer,
-				Policies:        f.policyMembers,
-				Expression:      f.expression,
-				Rules:           f.rules,
-				MatchConditions: f.matchConds,
-				Mode:            f.mode,
+			ClusterPolicyGroupSpec: ClusterPolicyGroupSpec{
+				GroupSpec: GroupSpec{
+					PolicyServer:    f.policyServer,
+					Expression:      f.expression,
+					Rules:           f.rules,
+					MatchConditions: f.matchConds,
+					Mode:            f.mode,
+				},
+				Policies: f.policyMembers,
 			},
 		},
 	}

api/policies/v1/policy.go

@@ -151,7 +151,7 @@ type Policy interface {
 // +kubebuilder:object:generate:=false
 type PolicyGroup interface {
 	Policy
-	GetPolicyGroupMembers() PolicyGroupMembers
+	GetPolicyGroupMembersWithContext() PolicyGroupMembersWithContext
 	GetExpression() string
 	GetMessage() string
 }

api/policies/v1/policy_types.go

@@ -170,6 +170,12 @@ type PolicyGroupMember struct {
 	// +kubebuilder:pruning:PreserveUnknownFields
 	// x-kubernetes-embedded-resource: false
 	Settings runtime.RawExtension `json:"settings,omitempty"`
+}
+
+type PolicyGroupMembersWithContext map[string]PolicyGroupMemberWithContext
+
+type PolicyGroupMemberWithContext struct {
+	PolicyGroupMember `json:""`
 
 	// List of Kubernetes resources the policy is allowed to access at evaluation time.
 	// Access to these resources is done using the `ServiceAccount` of the PolicyServer
@@ -178,7 +184,7 @@ type PolicyGroupMember struct {
 	ContextAwareResources []ContextAwareResource `json:"contextAwareResources,omitempty"`
 }
 
-type PolicyGroupSpec struct {
+type GroupSpec struct {
 	// PolicyServer identifies an existing PolicyServer resource.
 	// +kubebuilder:default:=default
 	// +optional
@@ -302,6 +308,10 @@ type PolicyGroupSpec struct {
 	// returned in the warning field of the response.
 	// +kubebuilder:validation:Required
 	Message string `json:"message"`
+}
+
+type PolicyGroupSpec struct {
+	GroupSpec `json:""`
 
 	// Policies is a list of policies that are part of the group that will
 	// be available to be called in the evaluation expression field.

api/policies/v1/policygroup_validation.go

@@ -56,10 +56,10 @@ func validatePolicyGroupUpdate(oldPolicyGroup, newPolicyGroup PolicyGroup) field
 // validatePolicyGroupMembers validates that a policy group has at least one policy member.
 func validatePolicyGroupMembers(policyGroup PolicyGroup) field.ErrorList {
 	var allErrors field.ErrorList
-	if len(policyGroup.GetPolicyGroupMembers()) == 0 {
+	if len(policyGroup.GetPolicyGroupMembersWithContext()) == 0 {
 		allErrors = append(allErrors, field.Required(field.NewPath("spec").Child("policies"), "policy groups must have at least one policy member"))
 	}
-	for memberName := range policyGroup.GetPolicyGroupMembers() {
+	for memberName := range policyGroup.GetPolicyGroupMembersWithContext() {
 		_, matchReservedSymbol := celReservedSymbols[memberName]
 		if len(memberName) == 0 || matchReservedSymbol || !idenRegex.MatchString(memberName) {
 			allErrors = append(allErrors, field.Invalid(field.NewPath("spec").Child("policies"), memberName, "policy group member name is invalid"))
@@ -81,7 +81,7 @@ func validatePolicyGroupExpressionField(policyGroup PolicyGroup) *field.Error {
 
 	// Create a CEL environment with custom functions for each policy member
 	var opts []cel.EnvOption
-	for policyName := range policyGroup.GetPolicyGroupMembers() {
+	for policyName := range policyGroup.GetPolicyGroupMembersWithContext() {
 		fn := cel.Function(policyName, cel.Overload(policyName, []*cel.Type{}, types.BoolType))
 		opts = append(opts, fn)
 	}