policy documentation contains technical mistake - Githubissues

kubewarden / allow-privilege-escalation-psp-policy

A Kubewarden Pod Security Policy that controls usage of allowPrivilegeEscalation

https://kubewarden.io

Apache License 2.0

6 stars 7 forks source link

policy documentation contains technical mistake #3

Closed srenatus closed 3 years ago

srenatus commented 3 years ago

The readme says:

The following Pod would be blocked because the allowPrivilegeEscalation is enabled at the Pod level:
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  securityContext:
    allowPrivilegeEscalation: true
  containers:
  - name: nginx
    image: nginx
  - name: sidecar
    image: sidecar

But I can't seem to find that reflected in the code, it's only checking containers and init containers. Am I missing something? 😄

ereslibre commented 3 years ago

Ouch, that documentation is wrong. PodSecurityContext (https://github.com/kubernetes/kubernetes/blob/564b0e55c7007745500d579356897848aaacb9dd/staging/src/k8s.io/api/core/v1/types.go#L3238-L3304) does not have allowPrivilegeEscalation property. Only SecurityContext, used in Container (https://github.com/kubernetes/kubernetes/blob/564b0e55c7007745500d579356897848aaacb9dd/staging/src/k8s.io/api/core/v1/types.go#L6089) have it, and thus, containers and init containers.

Does that explain @srenatus? I think we can keep this issue as a reminder to update the documentation. I can take care of that.