Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] update sample policies to include all container types in a pod #951

Open
3 of 7 tasks
JimBugwadia opened this issue Mar 22, 2024 · 1 comment
Open
3 of 7 tasks

[Bug] update sample policies to include all container types in a pod #951

JimBugwadia opened this issue Mar 22, 2024 · 1 comment
Assignees
@dolisss
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@JimBugwadia
Copy link
Member

JimBugwadia commented Mar 22, 2024
edited by realshuting
Loading

Kyverno Version

1.12

Kubernetes Version

1.29

Kubernetes Platform

Minikube

Description

A end user brought this up at KubeCon EU 2024. A number of sample policies target containers in a pod, but do not handle initContainers and ephemeralContainers.

Note that this is not an issue for any Pod Security Standard related policies, but applies to best practices and other security samples.

However, this may be something end users are oblivious of and hence end up using the sample policy which leaves a potential gap.

This can be handled easily as done in the following policy:

https://kyverno.io/policies/psp-migration/restrict-adding-capabilities/restrict-adding-capabilities/

      validate:
        message: >-
          Any capabilities added other than NET_BIND_SERVICE or CAP_CHOWN are disallowed.          
        foreach:
          - list: request.object.spec.[ephemeralContainers, initContainers, containers][]
            deny:
              conditions:
                all:
                - key: "{{ element.securityContext.capabilities.add[] || '' }}"
                  operator: AnyNotIn
                  value:
                  - NET_BIND_SERVICE
                  - CAP_CHOWN
                  - ''

Here is a list of some of these policies:

Steps to reproduce

  1. Check samples like: https://kyverno.io/policies/psp-migration/add-apparmor/add-apparmor/

Expected behavior

  1. Update all security and best practices related policies to handle all pod types.
  2. Update test cases to handle initContainers

Screenshots

No response

Kyverno logs

No response

Slack discussion

No response

Troubleshooting

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.
@JimBugwadia JimBugwadia added bug Something isn't working Contribfest Good first issues for KubeCon EU 2024 labels Mar 22, 2024
@michaelkotelnikov michaelkotelnikov mentioned this issue Mar 22, 2024
Merged
1 task
@realshuting realshuting added good first issue Good for newcomers and removed Contribfest Good first issues for KubeCon EU 2024 labels May 15, 2024
@nikhilmaheshwari24 nikhilmaheshwari24 mentioned this issue Jul 30, 2024
Merged
3 tasks
@dolisss
Copy link
Contributor

dolisss commented Jul 30, 2024

@JimBugwadia I would like to contribute to this. Can you assign me this issue?

@nikhilmaheshwari24 nikhilmaheshwari24 mentioned this issue Jul 31, 2024
Merged
3 tasks
@dolisss dolisss mentioned this issue Aug 5, 2024
Merged
3 tasks
@dolisss dolisss mentioned this issue Aug 30, 2024
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dolisss dolisss

Labels
bug Something isn't working good first issue Good for newcomers
Projects
Good First Issues
Status: No status
Kyverno Contribefest KubeCon EU 2024
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JimBugwadia @realshuting @dolisss