runAsUser.rule = MustRunAsNonRoot doesn't work as expected

[chrisns]

Is there an existing issue for this?

• [X] I have searched the existing issues

What happened?

A bug happened!

What policy engine(s) are you using?

• [X] Kyverno
• [X] Kubewarden
• [X] Gatekeeper

Input PSP

# https://github.com/kubernetes/website/blob/main/content/en/examples/policy/example-psp.yaml 
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: example
spec:
  seLinux:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  runAsUser:
    rule: MustRunAsNonRoot
  fsGroup:
    rule: RunAsAny
  volumes:
  - '*'

Gatekeeper output

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPAllowedUsers
metadata:
  name: psp-k8spspallowedusers-97934
spec:
  match:
    kinds:
      - apiGroups:
          - ""
        kinds:
          - Pod
  parameters:
    runAsUser:
      rule: MustRunAsNonRoot

Kubewarden output

apiVersion: policies.kubewarden.io/v1alpha2
kind: ClusterAdmissionPolicy
metadata:
  name: psp-usergroup-070cd
spec:
  module: registry://ghcr.io/kubewarden/policies/user-group-psp:v0.1.3
  rules:
    - apiGroups:
        - ""
      apiVersions:
        - v1
      resources:
        - pods
      operations:
        - CREATE
        - UPDATE
  mutating: false
  settings:
    run_as_user:
      rule: MustRunAsNonRoot
    supplemental_groups:
      rule: RunAsAny

Kyverno output

Cannot read properties of undefined (reading '0')

GIT

54f53bc5fe4d8d264ce15f202ef8e43ae01cff6e

[Clijsters]

After facing the same problem... Judging from https://github.com/appvia/psp-migration/blob/main/src/kyverno.ts#L274 and the according group equivalent some lines further down I'd guess the range should be optional in both cases.