Add mutation for ephemeral containers

[NissesSenap]

I have tried to use this pr but I'm unable to get it to work. I still get validation errors.

This have been tested together with https://github.com/XenitAB/terraform-modules/pull/881 And we know that this works since it works with linkerd.

I have tried by running

kubectl run -i -t busybox --image=busybox --restart=Never
kubectl debug busybox --image=golang:1.19.3-alpine3.16 -i -t -- /bin/sh
Defaulting debug container name to debugger-j2g7s.

Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [psp-allow-privilege-escalation-container] Privilege escalation container is not allowed: debugger-j2g7s
[psp-capabilities] ephemeral container <debugger-j2g7s> is not dropping all required capabilities. Container must drop all of ["NET_RAW", "CAP_SYS_ADMIN"] or "ALL"
[psp-readonlyrootfilesystem] only read-only root filesystem container is allowed: debugger-j2g7s

My current thought is that it's some other API that I also need to listen to but I'm unable to find it. Or that the gatekeeper assign don't work with ephemeralContainers for some reason.

I think that

k get validatingwebhookconfigurations.admissionregistration.k8s.io gatekeeper-validating-webhook-configuration
k get mutatingwebhookconfigurations.admissionregistration.k8s.io gatekeeper-mutating-webhook-configuration

Looks okay.

[NissesSenap]

To solve this I needed to add a custom rule to my opa config. https://github.com/XenitAB/terraform-modules/pull/885

Now my new settings is triggerd.

[phillebaba]

Could you split the version updates into a separate PR?

[NissesSenap]

Agreed: https://github.com/XenitAB/gatekeeper-library/pull/87