Skip to main content
Skip table of contents

Kubernetes Policy YAML Code Syntax Instructions

This document is based on QueryPie Enterprise version 10.0.0.

QueryPie Access Control Policy Overview

Access control policies defined in QueryPie operate based on Enhanced Attribute Based Access Control (EABAC). EABAC governs access to resources registered in QueryPie based on the roles and attributes of QueryPie users, enabling comprehensive management of permissions. It combines the functionalities of Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC) to provide flexible and sophisticated access control. All policies operate under the principle of All Deny.

EABAC functions through two components: Roles are configured via GUI, while Policies are defined and managed using YAML code.

For Kubernetes policies, a comprehensive model has been developed to accommodate both Role-based restrictions confined to namespaces existing in Kubernetes and ClusterRole supporting resources beyond namespace scopes.

Kubernetes Policy YAML Basic Structure

The overall policy code structure supports wildcard ("*") and regular expression (RE2 format: ^$ must be specified) patterns in most policy items, with some exceptions.

Category

Property

Required

Description

Valid Values

apiVersion

-

O

Version of the written YAML code. This value is managed by the system and does not need modification.

kubernetes.rbac.querypie.com/v1

kind

-

O

Type of the written YAML code. This value is managed by the system and does not need modification.

KacPolicy

spec:
<effect>

-

O

Specifies whether to allow or deny specific rules in the policy.

  • Each policy allows only the following specs:

    • Single Allow

    • Single Deny

    • Single Allow & Single Deny

  • Deny takes precedence over Allow.

allow, deny

 

resources

O

Specifies the resources to allow/deny access to.

ALLOW WILDCARD & REGEX

  • "cluster:*"

  • "cluster:^eks-.*$"

 

subjects

O

Specifies the Kubernetes user/group to impersonate Kubernetes commands.

kubernetesGroups : Specifies the Kubernetes groups to be used by the QueryPie Proxy.

  • impersonation : Specifies the target user/group allowed for impersonation at the client-side. ALLOW WILDCARD

kubernetesGroups:
- "system:masters"

impersonation:
users:

  • "system:user"


groups:

  • "system:admin"

 

actions

O

Specifies the Resource API to allow/deny within the Kubernetes cluster API server. ALLOW WILDCARD & REGEX

  • apiGroups : Defines the list of Kubernetes API groups. ALLOW WILDCARD

  • resources : Defines Kubernetes resources. ALLOW WILDCARD

  • namespace : Defines the target namespace. ALLOW WILDCARD & REGEX

  • name : Defines the target resource name. ALLOW WILDCARD & REGEX

  • verbs : Specifies permissions to allow or deny operations within Kubernetes. ALLOW WILDCARD

  • apiGroups: ["*"]


resources:

  • "*"


namespace: "*"
name: "*"
verbs: ["*"]

 

conditions

Applies detailed controls based on conditions such as the application of resource access policies.

  • resourceTags : Filters based on keys and values of resource tags. WILDCARD & REGEX FOR VALUE

  • userAttributes : Restricts permissions based on user attributes. WILDCARD & REGEX FOR VALUE

  • ipAddresses : Defines access control conditions for resources in single IP or CIDR format. ALLOW WILDCARD

resourceTags:

  • "Owner": "Daniel"


userAttributes:

  • "department": "DevOps" ipAddresses:

  • "10.10.10.0/24"

Resources Specification

The resourcesfield defines Kubernetes clusters registered in QueryPie, not Kubernetes resources themselves.

  1. Defining resources field is mandatory. REQUIRED

  2. It should be based on the Kubernetes cluster name.

    • Format: "cluster:{Kubernetes Cluster Name in QueryPie}"

  3. Kubernetes cluster names are structured as follows:

    • Maximum 100 characters in length

    • Alphanumeric characters (case-sensitive), numbers, and the following special characters are allowed:

      • underscore (_)

      • hyphen (-)

    • Names must start and end with alphanumeric characters or numbers

    • Cluster names must be unique

  4. Multiple Kubernetes clusters can be specified within a single policy.

    • - "cluster:kubepie-dev-1"
      - "cluster:kubepie-dev-2"

    • ["cluster:kubepie-dev-1", "cluster:kubepie-dev-2"]

  5. It allows writing in wildcard.

    • "cluster:kubepie-dev-*"

  6. It allows writing in regular expression.

    • "cluster:^kubepie-dev-.*$"

Subjects Specification

subjects defines Kubernetes users/groups for impersonation within Kubernetes commands. It is applicable only to spec:allow and is not syntactically allowed in spec:deny.

  1. kubernetesGroups: REQUIRED

    • Defines Kubernetes group accounts that QueryPie Proxy will impersonate to perform API actions on resources.

      • These subjects must be defined at the Policy-wide level, with at least one assignment required.

        • Impersonation using these subjects can be nested within a single Role across different Policies.

      • Specify Kubernetes groups (single or multiple) authorized to perform actions on resources specified under Resources.

        CODE 
        kubernetesGroups: 
  - system:masters
  - default-group-account

  2. impersonation: OPTIONAL

    • Specifies the allowed users or groups for impersonation in Kubernetes commands like kubectl with --as and --as-group parameters at the client-side.

      • users: Lists Kubernetes users or service accounts existing within the cluster for whom impersonation via "--as" parameter is permitted.

      • groups: Lists Kubernetes groups existing within the cluster for whom impersonation via "--as-group" parameter is permitted.

        CODE 
        impersonation: 
  users: 
    - "system:serviceaccount:argocd"
  groups: 
    - "system:admin"

      • Wildcard is permitted ("*")

Actions Specification

Specifies the Resource API list to allow or deny within the Kubernetes cluster API server. Each action requires entries for apiGroups, resources, namespace, name, verbs. REQUIRED

  1. apiGroups : Defines the list of Kubernetes API groups.

    1. By defining API groups, finer-grained access control is possible per API group.

    2. If control over custom resources is needed, specify them under apiGroups.

    3. References:

      1. API Overview - API Groups

      2. Kubernetes API Reference Docs - API Groups

    4. You can use a wildcard "*" to comprehensively specify entire API groups.

      • apiGroups: ["*"]

  2. resources : Defines the list of Kubernetes resources.

    1. Commonly used resources include:

      • pods, pods/exec, pods/log, pods/portforward, services, ingresses, deployments, replicasets, statefulsets, daemonsets, configmaps, secrets, namespaces, nodes, persistentvolumes, persistentvolumeclaims, jobs, cronjobs, serviceaccounts, endpoints, roles, rolebindings, clusterroles, clusterrolebindings

    2. Resources not listed can also be accommodated in policies.

    3. When granting permissions only to namespace-specific resources, read-only access to the namespace is automatically included. Therefore, you do not need to specify the namespace every time you make resource API calls. If you wish to prevent granting permissions to specific namespaces, you can configure access denial for namespace resources in spec:deny.

    4. You can specify multiple resources within a single policy action:

      CODE 
       resources:
   - "pods"
   - "deployments"
   - "configmaps"

    5. Wildcard is permitted. ("*")

  3. namespace : Defines the target namespace.

    1. Specify namespaces in actions to control access to specified namespaces within the cluster.

    2. Both wildcards and regular expressions are supported.

      • namespace: "*"

    3. For resources that do not belong to specific namespaces, it is recommended to specify "*" to ensure that the namespace value does not affect them. This approach allows you to manage resources that are not tied to any particular namespace effectively.

      1. e.g., persistentvolumes, persistentvolumeclaims, serviceaccounts, customresourcedefinitions, endpoints, nodes, clusterroles, clusterrolebindings

  4. name : Defines the target resource name enabling control based on resource naming conventions within the cluster.

    1. Supports both wildcards and regular expressions.

      • name: "pods-*"

  5. verbs : Specifies Kubernetes API permissions to allow or deny operations.

    • Commonly used verbs include:

      • get: Retrieve resource information

      • list: List resources

      • watch: Monitor resource changes

      • create: Create new resources

      • update: Update existing resources

      • patch: Modify resources partially

      • delete: Delete resources

      • deletecollection: Delete multiple resources in a single operation

    • Specialized verbs not listed can also be specified and applied in policies.

    • When supporting 3rd-party clients, the following verbs are essential and should be provided:

      • View Permissions : get, list, watch

      • Edit Permissions : get, list, watch + create, update, patch, delete, deletecollection

    • For creating sessions to access container shells via the pod exec command, specifying the get, create verb is typically necessary.

    • Wildcard is permitted.

      • verbs: ["*"]

Conditions Specification

In the conditions section, you can define conditions using resourceTags, userAttributes, and ipAddresses. OPTIONAL

  • resourceTags : Use resource tags to filter resources based on key-value pairs.

    CODE 
    resourceTags: 
  "region": "ap-northeast-1"
  "Owner": "Brant"

  • userAttributes : Define user attributes to restrict policy permissions to users whose attributes match specified criteria.

    CODE 
    userAttributes: 
  "countryCode": "KR"
  "department": "Infra"

  • ipAddresses : Specify IP addresses or CIDR blocks to control access to resources based on source IP.

    CODE 
    ipAddresses: ["10.10.0.0/24", "10.11.10.1"]

KAC Policy Example

CODE 
apiVersion: kubernetes.rbac.querypie.com/v1 
kind: KacPolicy

spec:
  allow: 
    resources: 
      - "cluster:*"
    subjects: 
      kubernetesGroups: 
        - "system:masters"
      impersonation: 
        users: ["system:serviceaccount:argocd"] 
        groups: ["system:admin"]  
    actions: 
      - apiGroups: ["*"] 
        resources: 
          - "pods"
        namespace: "*" 
        name: "*" 
        verbs: ["get", "list", "watch"]
    conditions: 
      resourceTags: 
        "Owner": ["Kenny", "Brant"]
        "Team": "DevSecOps" 
      userAttributes: 
        "countryCode": "KR"
        "department": "Infra"
      ipAddresses: ["10.10.0.0/24", "10.11.10.1"] 
  deny: 
    resources: 
      - "cluster:kubepie-*"
    actions: 
      - apiGroups: ["*"]
        resources: 
          - "*"
        namespace: "production"
        name: "*"
        verbs: ["*"]
    conditions: 
      resourceTags: 
        "Owner": "Brant"
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close