k8sblockendpointeditdefaultrole

Basic Information

• Policy type: compliance
• Recommended level: L1
• Effective resource type: ClusterRole
• Parameter: None

Function

By default, many Kubernetes predefines a ClusterRole named system:aggregate-to-edit. The k8sblockendpointeditdefaultrole policy prohibits the ClusterRole from performing create, patch, and update operations on endpoints.

Policy Example

The following policy instance shows the types of resources for which the policy definition takes effect.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sBlockEndpointEditDefaultRole
metadata:
  name: block-endpoint-edit-default-role
spec:
  match:
    kinds:
      - apiGroups: ["rbac.authorization.k8s.io"]
        kinds: ["ClusterRole"]

Resource Definition That Complies with the Policy

In the example, the effective object of ClusterRole does not contain endpoints, which complies with the policy instance.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - ""
  resources:
  - pods/attach
  - pods/exec
  - secrets
  - services/proxy
  verbs:
  - get
  - list
  - watch

Resource Definition That Does Not Comply with the Policy

In the example, the effective object of ClusterRole contains endpoints, which does not comply with the policy instance.

kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: null
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: system:aggregate-to-edit
rules:
- apiGroups:
  - apps
  resources:
  - endpoints
  verbs:
  - create
  - delete
  - deletecollection
  - patch
  - update