Create PSP FSGroup - Githubissues

flavio commented 3 years ago

Create a Kubewarden policy that can replace the FSGroup PSP.

The policy validates the presence/absence/value of pod.spec.securityContext.fsGroup.

This is a mutating policy.

Configuration

The policy can be configured via these values:

mustRunAs - Requires at least one range to be specified. Uses the minimum value of the first range as the default. Validates against all ranges.
mayRunAs - Requires at least one range to be specified. Allows FSGroups to be left unset without providing a default. Validates against all ranges if FSGroups is set.
runAsAny - No default provided. Allows any fsGroup ID to be specified.

For example:

mustRunAs: [2000,3000]

Given the configuration from above, the policy will:

reject a pod that has a value of fsGroup that isn't respecting the following rule: 2000 <= fsGroupFromUser <= 3000
mutates a pod that does not specify the fsGroup so that is has fsGroup set to 2000

The policy can mutate incoming objects only when mustRunAs is specified.

Settings validation

At least one setting among mustRunAs, mayRunAs and runAsAny must be provided
Only one settings among mustRunAs, mayRunAs and runAsAny must be provided
Parameters that have ranges (such as mustRunAs and mayRunAs) must have an array as value. The array must have two values: minimum and maximum. The minimum value cannot be major than the maximum one

ereslibre commented 2 years ago

The policy is completed except for some test cases: https://github.com/ereslibre/psp-allowed-fsgroups

ereslibre commented 2 years ago

This policy is now complete, please @kubewarden/kubewarden-developers, review when you have some time.

viccuad commented 2 years ago

Could we do a PR against a kubewarden/psp-allowed-fsgroups repo generated from the template?

ereslibre commented 2 years ago

Could we do a PR against a kubewarden/psp-allowed-fsgroups repo generated from the template?

Hm, it's going to be a bit messy I think at this point. Do you have a recommendation on how to do that? I could produce a patch though by creating an empty project with cargo-generate and diffing them.

viccuad commented 2 years ago

Just realized, https://github.com/kubewarden/policy-rust-template is not a "template repo" as for example the go template is. It can be enabled on the rust template repo settings (I don't have perms). I was thinking on just clicking on creating a repo from the rust template.

Maybe it's worth it to port the new test approach to the rust template, and close the gaps there.

I'm happy just reviewing a PR by looking at the resulting files in the branch, instead of changes :/.

ereslibre commented 2 years ago

cargo generate is nicer than a bare GitHub template because it asks questions on generation and performs substitutions on the generated tree, so it's better in this case to not mark it as a GitHub template. That repo is only meant to be used with cargo-generate.

Nevertheless I'm going to do something and open a PR inside that repo in a sec.

ereslibre commented 2 years ago

https://github.com/kubewarden/psp-allowed-fsgroups/pull/1

kubewarden / policy-hub

Create PSP FSGroup #25

Configuration

Settings validation