Closed flavio closed 2 years ago
The policy is completed except for some test cases: https://github.com/ereslibre/psp-allowed-fsgroups
This policy is now complete, please @kubewarden/kubewarden-developers, review when you have some time.
Could we do a PR against a kubewarden/psp-allowed-fsgroups repo generated from the template?
Could we do a PR against a kubewarden/psp-allowed-fsgroups repo generated from the template?
Hm, it's going to be a bit messy I think at this point. Do you have a recommendation on how to do that? I could produce a patch though by creating an empty project with cargo-generate and diffing them.
Just realized, https://github.com/kubewarden/policy-rust-template is not a "template repo" as for example the go template is. It can be enabled on the rust template repo settings (I don't have perms). I was thinking on just clicking on creating a repo from the rust template.
Maybe it's worth it to port the new test approach to the rust template, and close the gaps there.
I'm happy just reviewing a PR by looking at the resulting files in the branch, instead of changes :/.
cargo generate
is nicer than a bare GitHub template because it asks questions on generation and performs substitutions on the generated tree, so it's better in this case to not mark it as a GitHub template. That repo is only meant to be used with cargo-generate.
Nevertheless I'm going to do something and open a PR inside that repo in a sec.
Create a Kubewarden policy that can replace the FSGroup PSP.
The policy validates the presence/absence/value of
pod.spec.securityContext.fsGroup
.This is a mutating policy.
Configuration
The policy can be configured via these values:
mustRunAs
- Requires at least one range to be specified. Uses the minimum value of the first range as the default. Validates against all ranges.mayRunAs
- Requires at least one range to be specified. Allows FSGroups to be left unset without providing a default. Validates against all ranges if FSGroups is set.runAsAny
- No default provided. Allows any fsGroup ID to be specified.For example:
Given the configuration from above, the policy will:
fsGroup
that isn't respecting the following rule:2000 <= fsGroupFromUser <= 3000
fsGroup
so that is hasfsGroup
set to2000
The policy can mutate incoming objects only when
mustRunAs
is specified.Settings validation
mustRunAs
,mayRunAs
andrunAsAny
must be providedmustRunAs
,mayRunAs
andrunAsAny
must be providedmustRunAs
andmayRunAs
) must have an array as value. The array must have two values: minimum and maximum. The minimum value cannot be major than the maximum one