Update docs/content/general/tutorial.md

projectcapsule · Aug 1, 2023 · 3e9b1a9 · 3e9b1a9
1 parent a1391ac
commit 3e9b1a9
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/docs/content/general/tutorial.md b/docs/content/general/tutorial.md
@@ -1306,7 +1306,13 @@ If a Persistent Volume Claim has no value for `spec.storageClassName` the `tenan
 ## Assign Network Policies
 Kubernetes network policies control network traffic between namespaces and between pods in the same namespace. Bill, the cluster admin, can enforce network traffic isolation between different tenants while leaving to Alice, the tenant owner, the freedom to set isolation between namespaces in the same tenant or even between pods in the same namespace.
 
-To meet this requirement, Bill needs to define network policies that deny pods belonging to Alice's namespaces to access pods in namespaces belonging to other tenants, e.g. Bob's tenant `water`, or in system namespaces, e.g. `kube-system`. ( keep in mind, that because how the NetworkPolicies API works, the user can still add a policy which contradicts what the tenant admin has set, resulting in users being able to circunvent the initial limitation set by the tenant admin. i.e. The tenant admin configures a tenant to not be able to reach CIDR: 192.168.0.0/16 , where the local LDAP servers are, but then a tenant owner goes and creates a network policy which allows LDAP traffic, it will result in LDAP server being reachable )
+To meet this requirement, Bill needs to define network policies that deny pods belonging to Alice's namespaces to access pods in namespaces belonging to other tenants, e.g. Bob's tenant `water`, or in system namespaces, e.g. `kube-system`.
+
+> Keep in mind, that because of how the NetworkPolicies API works, the users can still add a policy which contradicts what the Tenant has set, resulting in users being able to circumvent the initial limitation set by the tenant admin.
+>
+> Two options can be put in place to mitigate this potential privilege escalation:
+> 1. providing a restricted role rather than the default `admin` one
+> 2. using Calico's `GlobalNetworkPolicy`, or Cilium's `CiliumClusterwideNetworkPolicy` which are defined at the cluster-level, thus creating an order of packet filtering.
 
 Also, Bill can make sure pods belonging to a tenant namespace cannot access other network infrastructures like cluster nodes, load balancers, and virtual machines running other services.