SAP-archive / karydia

Kubernetes Security Walnut
Other
77 stars 10 forks source link

Make Pod SecurityContext Mutation more accurate #263

Closed cbarbian-sap closed 4 years ago

cbarbian-sap commented 4 years ago

Currently (if pre-conditions are fulfilled), Karydia will override an existing pod security context, and just set runAsUser and runAsGroup. Other previously existing attributes (such as fsGroup) will get lost. Which probably should not be the case, as Karydia claims to only own runAsUser and runAsGroup.

This PR tries to fix this behaviour, so that in an existing pod security context, only runAsUser and runAsGroup will be patched by Karydia.

A similar behaviour was observed in the logic where Karydia patches existing container security contexts. This is also covered by this PR.

CLAassistant commented 4 years ago

CLA assistant check
All committers have signed the CLA.

Neumann-Nils commented 4 years ago

Looks good to me and worked while testing it manually. Needs unit tests (https://github.com/karydia/karydia/blob/master/pkg/admission/karydia/admission_test.go) and integration tests (https://github.com/karydia/karydia/blob/master/tests/e2e/admission_security_context_test.go).

cbarbian-sap commented 4 years ago

Unit test and integration tests have been added