github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/Configure/azure_identity_validation.md

github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/Configure/azure_identity_validation.md (about)

     1  ---
     2  title: "Azure Identity Validation using Gatekeeper"
     3  linkTitle: "Azure Identity Validation using Gatekeeper"
     4  weight: 4
     5  description: >
     6    This will help validate various CRDs and the azure resources used in aad-pod-identity. Currently validation of User assigned MSI format in Azure Identity is supported.
     7  ---
     8  
     9  ## Introduction
    10  
    11  This will help validate various CRDs and the azure resources used in aad-pod-identity.
    12  Currently validation of User assigned MSI format in Azure Identity is supported.
    13  
    14  [Gatekeeper](https://github.com/open-policy-agent/gatekeeper) - Policy Controller for Kubernetes, is used to validate the resources.
    15    * It is a validating webhook that enforces CRD based policies
    16    * Provides admission system which allows to configure policy and rule as constraint
    17  
    18  #### Prerequisite Gatekeeper Installation
    19  
    20  Run the following to deploy a release version of Gatekeeper in your cluster or refer to [Gatekeeper Installation](https://github.com/open-policy-agent/gatekeeper#installation-instructions) for detailed instructions.
    21  
    22  ```sh
    23  kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
    24  ```
    25  
    26  ## Azure Identity Format Validation
    27  
    28  Policy can be configured as Gatekeeper constraint to ensure the validity of the Resource ID format in the given identity.Request will be rejected by admission controller in case of any violation of the configured constraint.
    29  
    30  Following are the two major resources to enable this check.
    31  
    32     * Constraint Template
    33     * Constraint
    34  
    35  ### Constraint Template
    36  
    37  `ConstraintTemplate` describes both the [Rego](https://www.openpolicyagent.org/docs/latest/policy-language/) that enforces the constraint and the schema of the constraint.
    38  
    39     * User assigned MSI is expected to have Resource ID in the given format.
    40  
    41     ```
    42     /subscriptions/<subid>/resourcegroups/<resourcegroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>
    43     ```
    44  
    45     The same can be validate using the following regex pattern. Resource ID that does not match this pattern is considered invalid.
    46  
    47     ```
    48     (?i)/subscriptions/(.+?)/resourcegroups/(.+?)/providers/Microsoft.ManagedIdentity/(.+?)/(.+)
    49     ```
    50  
    51     * Policy to ensure Resource ID is following expected pattern can be described via following Constraint template
    52  
    53  ```yaml
    54  apiVersion: templates.gatekeeper.sh/v1beta1
    55  kind: ConstraintTemplate
    56  metadata:
    57    name: azureidentityformat
    58  spec:
    59    crd:
    60      spec:
    61        names:
    62          kind: azureidentityformat
    63    targets:
    64      - target: admission.k8s.gatekeeper.sh
    65        rego: |
    66          package azureidentityformat
    67          violation[{"msg": msg}] {
    68           input.review.kind.kind == "AzureIdentity"
    69           # format of resourceId is checked only for user-assigned MSI
    70           input.review.object.spec.type == 0
    71           resourceId := input.review.object.spec.resourceID
    72           result := re_match(`(?i)/subscriptions/(.+?)/resourcegroups/(.+?)/providers/Microsoft.ManagedIdentity/(.+?)/(.+)`,resourceId)
    73           result == false
    74           msg := sprintf(`The identity resourceId '%v' is invalid.It must be of the following format: '/subscriptions/<subid>/resourcegroups/<resourcegroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>'`,[resourceId])
    75           }
    76  ```
    77  
    78  You can install this ConstraintTemplate with the following command:
    79  
    80  ```sh
    81  kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/validation/gatekeeper/azureidentityformat_template.yaml
    82  ```
    83  
    84  ### Constraint
    85  
    86  Constraint is used to inform Gatekeeper that the admin wants azureidentityformat ConstraintTemplate to be enforced.
    87  
    88  If the constraint is violated by any request on Kind `AzureIdentity` in apiGroup `aadpodidentity.k8s.io`, request will be rejected via the admission controller.
    89  
    90  ```yaml
    91  apiVersion: constraints.gatekeeper.sh/v1beta1
    92  kind: azureidentityformat
    93  metadata:
    94    name: azureidentityformatconstraint
    95  spec:
    96    match:
    97      kinds:
    98        - apiGroups: ["aadpodidentity.k8s.io"]
    99          kinds: ["AzureIdentity"]
   100  ```
   101  
   102  You can install this Constraint with the following command:
   103  
   104  ```sh
   105  kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/validation/gatekeeper/azureidentityformat_constraint.yaml
   106  ```
   107  
   108  ### Examples
   109  
   110     * Following identity will pass the constraint and request will be accepted, as the resource ID is in the correct format.
   111  
   112  ```yaml
   113  apiVersion: "aadpodidentity.k8s.io/v1"
   114  kind: AzureIdentity
   115  metadata:
   116    name: testidentityvalid
   117  spec:
   118    type: 0
   119    resourceID: /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/testidentity
   120    clientID: 00000000-0000-0000-0000-000000000000
   121  ```
   122  
   123     * Following identity will violate the constraint and request will be rejected,  as resource ID is not of correct format (`resourcegroups/<resourcegroup>` is missing in resourceID).
   124  
   125  ```yaml
   126  apiVersion: "aadpodidentity.k8s.io/v1"
   127  kind: AzureIdentity
   128  metadata:
   129    name: testidentityinvalid
   130  spec:
   131    type: 0
   132    resourceID: /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myidentity
   133    clientID: 00000000-0000-0000-0000-000000000000
   134  ```
   135  
   136  ```sh
   137   kubectl apply -f aadpodidentity_test_invalid.yaml
   138  Error from server ([denied by azureidentityformatconstraint] The identity resourceId '/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myidentity' is invalid.It must be of the following format: '/subscriptions/<subid>/resourcegroups/<resourcegroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>'): error when creating "aadpodidentity_test_invalid.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [denied by azureidentityformatconstraint] The identity resourceId '/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myidentity' is invalid.It must be of the following format: '/subscriptions/<subid>/resourcegroups/<resourcegroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>'
   139  ```
   140  
   141  
   142  ### Uninstallation
   143  
   144  #### Uninstall Constraint Template & Constraint
   145  
   146     * Delete instances of the constraint resource
   147     * Delete the ConstraintTemplate` resource
   148  
   149  Run the following to uninstall / disable validation.
   150  
   151  ```sh
   152  kubectl delete -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/validation/gatekeeper/azureidentityformat_constraint.yaml
   153  
   154  kubectl delete -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/validation/gatekeeper/azureidentityformat_template.yaml
   155  ```