Review k8s pod-security-standards to match library

XenitAB / gatekeeper-library

Collection of OPA Gatekeeper policies that can be used in your Kubernetes cluster.

MIT License

14 stars 7 forks source link

Review k8s pod-security-standards to match library #90

Open NissesSenap opened 1 year ago

NissesSenap commented 1 year ago

Took an initial look at the list https://kubernetes.io/docs/concepts/security/pod-security-standards/ and in general it looks very good.

I think we have missed to configure anything around restricting seccompProfile, seLinux and sysctls options.

brsolomon-deloitte commented 1 year ago

Error creating: pods "wait-for-crds-chg4r" is forbidden: violates PodSecurity "restricted:v1.24": allowPrivilegeEscalation != false (container "wait-for-crds" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "wait-for-crds" must set securityContext.capabilities.drop=["ALL"]), runAsNonRoot != true (pod or container "wait-for-crds" must set securityContext.runAsNonRoot=true), seccompProfile (pod or container "wait-for-crds" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")

Related error when deploying this chart version v0.23.1 against EKS 1.26 on the Job/wait-for-crds resource.

brsolomon-deloitte commented 1 year ago

@NissesSenap you can find a related PR here:

https://github.com/sighupio/gatekeeper-policy-manager/pull/545

The issue here is that this chart's Job/wait-for-crds will fail if there is a Restricted PSS and there is no way to configure it otherwise using values.yaml.

NissesSenap commented 1 year ago

Yeah i used it on a new cluster a few days ago and got the same issue. I don't work at Xenit any more but I'm sure they would be very happy to get a PR @brsolomon-deloitte if you have the possibility

simongottschlag commented 1 year ago

We are always happy to receive PRs! 😊🖖

Otherwise we'll take it as it comes up for ourselves in the process of validating the new versions. 👍