The issue revolves around Kubernetes RBAC (Role-Based Access Control) configurations and Kyverno policy enforcement for managing user permissions. The objective is to allow multiple users to create namespaces and resources within them, while restricting their ability to delete anything beyond what they have created. RBAC roles are defined to enforce these restrictions, but there's a discrepancy observed with the kube-system namespace where manually added labels bypass deletion restrictions despite Kyverno policies being in place for other namespaces like calico and metallb-system. This situation highlights a potential misconfiguration or limitation in how labels are applied and enforced through RBAC and Kyverno policies. The broader security implication is that without proper enforcement, users might unintentionally or maliciously delete critical cluster components, leading to system instability or downtime.
- Kubernetes
- Kyverno
- Ensure that RBAC roles and policies are correctly defined to restrict deletion permissions beyond user-created resources: `kubectl edit clusterrolebinding permissive-binding`
- Apply the following Kyverno policy template to ensure owner labels are injected into namespaces: `kubectl apply -f kyverno-policy-template.yaml`
- Review and adjust label management practices for critical namespaces like kube-system to avoid manual override bypassing RBAC restrictions.
- Regularly audit cluster roles and policies using tools like kubectl or Kyverno's built-in policy auditing features.
This issue impacts common homelab Kubernetes setups, particularly those utilizing RBAC for access control alongside Kyverno for automated policy enforcement. Specific software versions impacted include Kubernetes prior to 1.23.0 and Kyverno up to 1.5.8.