Update some of our policies that are targeting `Pod`, to make them process higher level objects

[jvanz]

Update some of our policies that are targeting Pod, to make them process higher level objects like deployments. This is a better practice because we prevent the resources to be created instead of failing in the deployment phase when the pods are created.

The following list is the policies with rules targeting pod resource which need to be updated

Go-based:

• [ ] kubewarden/volumes-psp-policy#11
• [ ] kubewarden/sysctl-psp-policy#13
• [ ] kubewarden/hostpaths-psp-policy#11

Rust-based:

• [x] kubewarden/allow-privilege-escalation-psp-policy#32
• [x] kubewarden/pod-privileged-policy#33
• [x] kubewarden/user-group-psp-policy#33
• [ ] kubewarden/apparmor-psp-policy#22
• [x] kubewarden/capabilities-psp-policy#27
• [ ] kubewarden/trusted-repos-policy#29
• [x] kubewarden/pod-runtime-class-policy#13
• [ ] kubewarden/readonly-root-filesystem-psp-policy#20
• [ ] kubewarden/allowed-fsgroups-psp-policy#18
• [ ] kubewarden/seccomp-psp-policy#25
• [ ] kubewarden/allowed-proc-mount-types-psp-policy#18
• [ ] kubewarden/verify-image-signatures#37
• [ ] kubewarden/host-namespaces-psp-policy#12
• [ ] kubewarden/selinux-psp-policy#30
• [ ] kubewarden/flexvolume-drivers-psp-policy#19

For the rust policies, it's possible to use a recent feature added to the rust SDK which allow policy authors to get the pod definition from the high level resources. It would be nice to have a similar feature in the others SDKs as well.

• [x] kubewarden/policy-sdk-rust#63

[jvanz]

As we are not working on this now, I've re added the issue in the board to keep it in the "waiting triage" queue.

[flavio]

Instead of updating all our policies targeting Pods to cover for high order resources, we might consider doing something like Kyverno aug-gen rules

[adnanhashmi09]

I would like to work on this issue. Please assign this to me.

[jvanz]

@adnanhashmi09, please, select a sub task. I'll assign it for you as well.

[flavio]

wait, I'm a bit confused. I don't know if @adnanhashmi09 wants to work on the original task or attempt to implement what I described inside of https://github.com/kubewarden/kubewarden-controller/issues/282#issuecomment-1665120267

@adnanhashmi09: can you please clarify?

[adnanhashmi09]

I am working on this sub-issue.. I left a comment there. @flavio

[flavio]

JFYI, I've created https://github.com/kubewarden/rfc/issues/23 to keep track of what I described inside of https://github.com/kubewarden/kubewarden-controller/issues/282#issuecomment-1665120267.

I suggest to put this issue on hold until we understand whether we can have a generic way to make Pod-specific policies work against higher-order resources

[niheetes]

Any progress on the generic way to make these policies work on higher level resources?

[jvanz]

Any progress on the generic way to make these policies work on higher level resources?

No, this is issue is on hold for now. May I ask you why you're interested on this? Are you facing some issue writing policies or something similar? Do you want to contribute?

[jvanz]

@niheetes sorry for the long delay to give you a feedback. We've discussed this issue during our planning session and we do not want to fix all the policies manually. Because that will required a lot of changes and it not future proof. In other words, we would like to avoid to remember that policy must be handle pod inside high level resources every time. Therefore, we will refine this card to decide the proper way to move it forward.

However, we do not want to leave you if a workaround. Thus, we would like to know which policies you want to get fix. Therefore, we can work on them while we do not find the final solution for this issue. Can you share that with us?