Closed jvanz closed 2 years ago
AFAICS, the root cause of this issue is that the psp-migration
expects the fields hostIPC
, hostNetwork
, hostPID
and readOnlyRootFilesystem
to be false
. However, if the user deploy these fields with false
value, Kubernetes just ignore them. Therefore, when the user forward the output of the kubectl get psp
command to the psp-migration
tool the fields are not there. Take a look in this example:
jvanz@earth:~/suse/migration-script> cat psp-example3.yaml
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: pod-security-policy-restricted-psp3
spec:
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
hostIPC: false
hostNetwork: false
hostPID: false
privileged: false
readOnlyRootFilesystem: false
runAsUser:
# Require the container to run without root privileges.
rule: 'MustRunAsNonRoot'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
# Allow core volume types.
jvanz@earth:~/suse/migration-script> kubectl apply -f psp-example3.yaml
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
podsecuritypolicy.policy/pod-security-policy-restricted-psp3 created
jvanz@earth:~/suse/migration-script> kubectl get psp pod-security-policy-restricted-psp3 -o json | jq ".spec"
Warning: policy/v1beta1 PodSecurityPolicy is deprecated in v1.21+, unavailable in v1.25+
{
"allowPrivilegeEscalation": true,
"fsGroup": {
"ranges": [
{
"max": 65535,
"min": 1
}
],
"rule": "MustRunAs"
},
"runAsUser": {
"rule": "MustRunAsNonRoot"
},
"seLinux": {
"rule": "RunAsAny"
},
"supplementalGroups": {
"ranges": [
{
"max": 65535,
"min": 1
}
],
"rule": "MustRunAs"
}
}
This explains why the psp-migration
is able to migrate from the original file used to deploy the PSP. But it cannot migration from the kubectl
output.
What happened?
The psp-migration is not able to generate some Kubewarden policies directly from the
kubectl
output. Consider the following PSP:After applied, when we tried to generate the Kubewarden policies from the
kubectl get psp
command, the migration tool generate this:Note that the
hostIPC
,hostNetwork
,hostPID
,privileged
,readOnlyRootFilesystem
fields are not being converted to the correspondent Kubewarden policy. However, if I use the original yaml file used to deploy the PSP the migration tool is able to create the policies.What policy engine were you generating policy for
Kubewarden
Relevant log output
No response