From 317a3ae0bff68da4269b7df88bf70f57950c979a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charled.breteche@gmail.com>
Date: Tue, 6 Sep 2022 17:43:04 +0200
Subject: [PATCH] feat: add kyverno managed resources protection (#4414)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat: add kyverno managed resources protection

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

* add toggle

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>

Signed-off-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
---
 charts/kyverno/templates/deployment.yaml |  2 ++
 cmd/kyverno/main.go                      |  1 +
 pkg/config/config.go                     |  6 +++++
 pkg/toggle/toggle.go                     | 20 +++++++++++-----
 pkg/webhooks/server.go                   | 29 +++++++++++++++++++++++-
 5 files changed, 51 insertions(+), 7 deletions(-)

diff --git a/charts/kyverno/templates/deployment.yaml b/charts/kyverno/templates/deployment.yaml
index d71a3331f1..fde8c4caa5 100644
--- a/charts/kyverno/templates/deployment.yaml
+++ b/charts/kyverno/templates/deployment.yaml
@@ -131,6 +131,8 @@ spec:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
+          - name: KYVERNO_SERVICEACCOUNT_NAME
+            value: {{ template "kyverno.serviceAccountName" . }}
           - name: KYVERNO_SVC
             value: {{ template "kyverno.serviceName" . }}
           - name: TUF_ROOT
diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go
index f897fd30ce..d17fba0aaf 100644
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@@ -111,6 +111,7 @@ func main() {
 	flag.DurationVar(&webhookRegistrationTimeout, "webhookRegistrationTimeout", 120*time.Second, "Timeout for webhook registration, e.g., 30s, 1m, 5m.")
 	flag.IntVar(&changeRequestLimit, "maxReportChangeRequests", 1000, "Maximum pending report change requests per namespace or for the cluster-wide policy report.")
 	flag.Func(toggle.SplitPolicyReportFlagName, toggle.SplitPolicyReportDescription, toggle.SplitPolicyReport.Parse)
+	flag.Func(toggle.ProtectManagedResourcesFlagName, toggle.ProtectManagedResourcesDescription, toggle.ProtectManagedResources.Parse)
 	if err := flag.Set("v", "2"); err != nil {
 		setupLog.Error(err, "failed to set log level")
 		os.Exit(1)
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 28fb1fdb80..885e5cb3d2 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -72,6 +72,8 @@ const (
 var (
 	// kyvernoNamespace is the Kyverno namespace
 	kyvernoNamespace = osutils.GetEnvWithFallback("KYVERNO_NAMESPACE", "kyverno")
+	// kyvernoServiceAccountName is the Kyverno service account name
+	kyvernoServiceAccountName = osutils.GetEnvWithFallback("KYVERNO_SERVICEACCOUNT_NAME", "kyverno")
 	// kyvernoDeploymentName is the Kyverno deployment name
 	kyvernoDeploymentName = osutils.GetEnvWithFallback("KYVERNO_DEPLOYMENT", "kyverno")
 	// kyvernoServiceName is the Kyverno service name
@@ -88,6 +90,10 @@ func KyvernoNamespace() string {
 	return kyvernoNamespace
 }
 
+func KyvernoServiceAccountName() string {
+	return kyvernoServiceAccountName
+}
+
 func KyvernoDeploymentName() string {
 	return kyvernoDeploymentName
 }
diff --git a/pkg/toggle/toggle.go b/pkg/toggle/toggle.go
index 8eefe2cfe2..ff1b2bb3f9 100644
--- a/pkg/toggle/toggle.go
+++ b/pkg/toggle/toggle.go
@@ -6,19 +6,27 @@ import (
 )
 
 const (
-	AutogenInternalsFlagName     = "autogenInternals"
-	AutogenInternalsDescription  = "Enables autogen internal policies. When this is 'true' policy rules should not be mutated."
-	autogenInternalsEnvVar       = "FLAG_AUTOGEN_INTERNALS"
-	defaultAutogenInternals      = true
+	// autogen
+	AutogenInternalsFlagName    = "autogenInternals"
+	AutogenInternalsDescription = "Enables autogen internal policies. When this is 'true' policy rules should not be mutated."
+	autogenInternalsEnvVar      = "FLAG_AUTOGEN_INTERNALS"
+	defaultAutogenInternals     = true
+	// split resource
 	SplitPolicyReportFlagName    = "splitPolicyReport"
 	SplitPolicyReportDescription = "Set the flag to 'true', to enable the split-up PolicyReports per policy."
 	splitPolicyReportEnvVar      = "FLAG_SPLIT_POLICY_REPORT"
 	defaultSplitPolicyReport     = false
+	// protect managed resource
+	ProtectManagedResourcesFlagName    = "protectManagedResources"
+	ProtectManagedResourcesDescription = "Set the flag to 'true', to enable managed resources protection."
+	protectManagedResourcesEnvVar      = "FLAG_PROTECT_MANAGED_RESOURCES"
+	defaultProtectManagedResources     = false
 )
 
 var (
-	AutogenInternals  = newToggle(defaultAutogenInternals, autogenInternalsEnvVar)
-	SplitPolicyReport = newToggle(defaultSplitPolicyReport, splitPolicyReportEnvVar)
+	AutogenInternals        = newToggle(defaultAutogenInternals, autogenInternalsEnvVar)
+	SplitPolicyReport       = newToggle(defaultSplitPolicyReport, splitPolicyReportEnvVar)
+	ProtectManagedResources = newToggle(defaultProtectManagedResources, protectManagedResourcesEnvVar)
 )
 
 type Toggle interface {
diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go
index dca90a778d..1416cdab76 100644
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@@ -3,6 +3,7 @@ package webhooks
 import (
 	"context"
 	"crypto/tls"
+	"fmt"
 	"net/http"
 	"sync"
 	"time"
@@ -10,9 +11,13 @@ import (
 	"github.com/go-logr/logr"
 	"github.com/julienschmidt/httprouter"
 	"github.com/kyverno/kyverno/pkg/config"
+	"github.com/kyverno/kyverno/pkg/toggle"
+	"github.com/kyverno/kyverno/pkg/utils"
+	admissionutils "github.com/kyverno/kyverno/pkg/utils/admission"
 	"github.com/kyverno/kyverno/pkg/webhookconfig"
 	"github.com/kyverno/kyverno/pkg/webhooks/handlers"
 	admissionv1 "k8s.io/api/admission/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )
 
 type Server interface {
@@ -118,10 +123,32 @@ func (s *server) cleanup(ctx context.Context) {
 	close(s.cleanUp)
 }
 
+func protect(inner handlers.AdmissionHandler) handlers.AdmissionHandler {
+	return func(logger logr.Logger, request *admissionv1.AdmissionRequest) *admissionv1.AdmissionResponse {
+		if toggle.ProtectManagedResources.Enabled() {
+			newResource, oldResource, err := utils.ExtractResources(nil, request)
+			if err != nil {
+				logger.Error(err, "Failed to extract resources")
+				return admissionutils.ResponseFailure(err.Error())
+			}
+			for _, resource := range []unstructured.Unstructured{newResource, oldResource} {
+				resLabels := resource.GetLabels()
+				if resLabels["app.kubernetes.io/managed-by"] == "kyverno" {
+					if request.UserInfo.Username != fmt.Sprintf("system:serviceaccount:%s:%s", config.KyvernoNamespace(), config.KyvernoServiceAccountName()) {
+						logger.Info("Access to the resource not authorized, this is a kyverno managed resource and should be altered only by kyverno")
+						return admissionutils.ResponseFailure("A kyverno managed resource can only be modified by kyverno")
+					}
+				}
+			}
+		}
+		return inner(logger, request)
+	}
+}
+
 func filter(configuration config.Configuration, inner handlers.AdmissionHandler) handlers.AdmissionHandler {
 	return handlers.Filter(configuration, inner)
 }
 
 func admission(logger logr.Logger, monitor *webhookconfig.Monitor, inner handlers.AdmissionHandler) http.HandlerFunc {
-	return handlers.Monitor(monitor, handlers.Admission(logger, inner))
+	return handlers.Monitor(monitor, handlers.Admission(logger, protect(inner)))
 }