Prevent users to modify gatekeeper

[lelouchviesp]

Hello,

I'm new to OPA and Rego and I try to put in place a policy who prevent users to modify everything in gatekeeper-system namespace.
The context is that I want to give them cluster-admin role and use gatekeeper to manage what they can do or use. I have already template and constraint for quota storageclass and quota LB but I'm stuck on the security part of gatekeeper.

I try this template:

TEMPLATE YAML

apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: k8sdenyallgk
spec:
  crd:
    spec:
      names:
        kind: K8sDenyAllgk
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8sdenyallgk
        listed = input.review.userInfo.groups
        contains(liste, elem) {
          liste[_] = elem
        }
        violation[{"msg": msg}] {
          #have not admin group
          not contains(listed, "oidc:admin-group")
          msg := sprintf("not admin: %v", [input.review.userInfo.username])
        }

listed variable list group that the user who do the request have
contains is a function who list what we pass in the first argument and try to find what we put in the second argument.
At the end the violation is triggered if we do not find a precise admin group in the list of group from the user who request something.

I apply the constraint only on gatekeeper namespace and for every action:

CONSTRAINT YAML

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sDenyAllgk
metadata:
  name: deny-useraccess-gatekeeper
spec:
  match:
    kinds:
      - apiGroups: ["*"]
        kinds: ["*"]
    namespaces:
      - "gatekeeper-system"

But this way, gatekeeper cannot do nothing too. User without admin group seems able to modify gatekeeper object and a weird side effect is that, for example, if I try a kubectl top node "a node" the action is prevent with the error message from the template who prevent user to touch gatekeeper but it's not a request about gatekeeper object.

It seems to work properly when during my test I use a constraint only on one k8s resources and without namespace like this:

spec:
  match:
    kinds:
      - apiGroups: [""]
        kinds: ["Service"]

But the final purpose would be to extent that at gatekeeper object while allowing him to do actions on himself.