DefaultAllowPrivilegeEscalation - Sets the default for the allowPrivilegeEscalation option. The default behavior without this is to allow privilege escalation so as to not break setuid binaries. If that behavior is not desired, this field can be used to default to disallow, while still permitting pods to request allowPrivilegeEscalation explicitly.
We should extend this policy to handle this scenario as well.
Acceptance criteria
The policy gains mutation abilities
If DefaultAllowPrivilegeEscalation is set to false and a securityContext doesn't provide an explicit value for allowPrivilegeEscalation, the policy will mutate the incoming object to ensure allowPrivilegeEscalation = false
The original Kubernetes PSP featured also a
DefaultAllowPrivilegeEscalation
option.Quoting the official docs:
We should extend this policy to handle this scenario as well.
Acceptance criteria
DefaultAllowPrivilegeEscalation
is set tofalse
and asecurityContext
doesn't provide an explicit value forallowPrivilegeEscalation
, the policy will mutate the incoming object to ensureallowPrivilegeEscalation = false