Comments (7)
maxsmythe
commented on May 29, 2024
What is the behavior of Pod Security Policy for runAsUser?
https://kubernetes.io/docs/concepts/policy/pod-security-policy/
These templates were designed to map as close to PSP as is reasonable in order to simplify migration, so this template should try to replicate that behavior.
I will say "not running as root" and "running as a specific user" could have very different implications depending on the infrastructure. Because "run as non-root" is more permissive, it probably deserves its own dedicated template.
It may be reasonable for that separate template to allow either the "runAsNonRoot" directive or for the config to supply a specific (non-zero) user, as either wouldn't be root.
from gatekeeper-library.
sanderma
commented on May 29, 2024
The doc tells us this:
MustRunAsNonRoot - Requires that the pod be submitted with a non-zero runAsUser or have the USER directive defined (using a numeric UID) in the image.
So in that regard I'd say that it is valid to set the securityContext runAsNonRoot as that will ensure UID != 0 without having to specify the runAsUser in the securityContext.
The rule as is makes it incompatible with the psp, as the psp doesn't require you to set the runAsUser securityContext but the rego does.
In that case it should be in this template right? WDYT?
from gatekeeper-library.
EmandM
commented on May 29, 2024
MustRunAsNonRoot - Requires that the pod be submitted with a non-zero runAsUser or have the USER directive defined (using a numeric UID) in the image. Pods which have specified neither runAsNonRoot nor runAsUser settings will be mutated to set runAsNonRoot=true, thus requiring a defined non-zero numeric USER directive in the container. No default provided.
https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups
It looks like the PSP does recognise the runAsNonRoot flag, and uses it during mutations. I think this is a good change to make
from gatekeeper-library.
maxsmythe
commented on May 29, 2024
That excerpt is on point, for sure.
It looks like PSP allows a RunAsUser set to MustRunAsNonRoot. Should we add that option?
That would both match what PSP does and avoids retroactively weakening the constraint template's enforcement profile for pre-existing implementations.
Not 100% sure what that parameter would look like. A bool seems easiest, but is discouraged by K8s conventions. OTOH I don't think an enum would make sense.
from gatekeeper-library.
sanderma
commented on May 29, 2024
The params.rule runAsNonRoot is already present in the current rego. The only downside is that is checks for a runAsUser field.
See line 38
The only addition in this case is to check for the runAsNonRoot securityContext.
from gatekeeper-library.
maxsmythe
commented on May 29, 2024
Ah, perfect. This change makes total sense then.
from gatekeeper-library.
sanderma
commented on May 29, 2024
Good to hear!
I can do a PR with the change and added tests. I need to refactor some existing tests, so I expect this to be ready in the next few days.
(This is an in between daily work thing)
from gatekeeper-library.
Related Issues (20)
- Match everything in a constraint HOT 2
- Docs exclude kind: AdmissionReview
- Problem with creating a mutation for deployments HOT 4
- replicalimits unit tests do not include checks for Scale resources HOT 4
- Consider validating pod generic ephemerals in K8sStorageClass HOT 2
- Consolidating Kubernetes PSP-related ConstraintTemplates into a Single Template for Streamlined Migration HOT 1
- bump mutate assign api version from alpha to v1
- Website generator appears to only retain the final mutation sample per directory HOT 2
- Any interest in policies/constraints that apply to custom resources? HOT 3
- Workflow Upload artifacts: overwrites the matrixed job logs HOT 1
- k8spsphostnetworkingports exemptImages does not allow hostNetwork HOT 4
- automount-serviceaccount-token ConstraintTemplate does not reflect ServiceAccount settings HOT 1
- Not able to create statefulset without storageclass with policy k8sallowedstorageclas is used HOT 1
- Should apparmor always view unconfined as complaint? HOT 3
- The example of disallowed/allowed ingress resources in the unique ingress host example has incorrect hostnames HOT 7
- Add colon in message for consistency
- Example of pod mutation adding init-container HOT 4
- Example k8scontainerlimits does not throw error for a deployment but does on a plain Pod creation HOT 2
- poddisruptionbudget policy query
- K8sRequiredResources ConstraintTemplate doesn't work properly HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gatekeeper-library.